Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't recommend trusted-types if CSP blocks scripts #43

Open
Seirdy opened this issue Oct 16, 2021 · 1 comment
Open

Don't recommend trusted-types if CSP blocks scripts #43

Seirdy opened this issue Oct 16, 2021 · 1 comment

Comments

@Seirdy
Copy link
Contributor

Seirdy commented Oct 16, 2021

If a CSP has script-src: none or equivalent to forbid script loading, or if it has a sandbox directive to forbid script execution, the CSP evaluator shouldn't recommend requires-trusted-types-for: script because there is no script execution happening in the first place.
@Seirdy
Copy link
Contributor Author

Seirdy commented Dec 14, 2021

I considered making this issue about skipping the trusted-types recommendation even if scripts are present if they don't mess with DOM XSS sinks. I decided against this because adding the necessary script parsing logic to the CSP Evaluator would complicate things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Seirdy