WordPress.org
Get WordPress

Make WordPress Core

Opened 9 months ago

Last modified 5 weeks ago

#61569 new enhancement

Content-Security-Policy (CSP) add support for trusted types (centralized input validation of text inserted into DOM XSS sinks)

Reported by: jornfranke's profile jornfranke Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

The HTTP Security Header "Content-Security-Policy" (CSP) allows to make browsing a website more secure for its users by providing directives to the browser how to protect it (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).

While there are already various features of CSPs supported by WordPress (cf. e.g. https://jornfranke.codeberg.page/technology-tutorials/wordpress-csp/) there can be support for an additional directive relevant for Gutenberg: Trusted Types (https://w3c.github.io/trusted-types/dist/spec/) (see also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types). These allow essentially to define in the WordPress/Guteberg javascript code a central function that validates any text inserted by users/other scripts into the website (for instance, one could insert malicious HTML or Script code into a block that is then later displayed by another user).

Other frameworks, such as Angular, also support this (see https://angular.io/guide/security#enforcing-trusted-types).

I can add to my CSP the trusted-type policy "wordpress", e.g.

Content-Security-Policy: trusted-types wordpress; require-trusted-types-for 'script';
Then automatically a function (provided by WordPress) is triggered to sanitize any input before it is added to the DOM. Here a simple untested example using DOMPurify based on this webpage:

if (window.trustedTypes && trustedTypes.createPolicy) { 
  trustedTypes.createPolicy('wordpress', {
    createHTML: (string, sink) => DOMPurify.sanitize(string, {RETURN_TRUSTED_TYPE: true})
  });
}

I recommend though to use the standard sanitization function already available in WordPress.

See also this article on how to implement a trusted-type policy: https://web.dev/articles/trusted-types#trusted-type-policy

The advantage of a central policy would be that I can also cover for plugins with issues in securely sanitizing inputs.

See also the complementary issue for Gutenberg: https://github.com/WordPress/gutenberg/issues/60736

Change History (1)

This ticket was mentioned in Slack in #accessibility by joedolson. View the logs.
5 weeks ago

Note: See TracTickets for help on using tickets.