• Mozilla plans to implement Trusted Types in Firefox to reduce web attacks relying on injected code.
• Trusted Types has been successful in preventing DOM-based XSS on popular websites.
• As more websites adopt Trusted Types, XSS attacks are expected to become less common.
I had no idea trusted types existed, and took a while to realise the w3 docs was confusing as hell.
But mozilla to the rescue : https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_APISo it boils down to a javascript api to santize a string before using it in a plathora of javascript functions that interact with the DOM. Neat, but if the developer has to make the policy themselves i dont see the added bonus to this. XSS seems to be still possible if the policy is made incorrectly?
Edit : or am i reading the example wrong and the developer defined code is on top of whatever the api does with the string? I also dont understand why the browsers implementation of innerHtml couldnt just automatically apply whatever that policy does…
Not much of a surprise given how they removed GTK theming from thunderbird and maybe Firefox