Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser.
By so doing, the browser biz will help reduce a longstanding form of web attack that relies on injected code.
“We at Mozilla have done a thorough spec review and intend to change our standards position to positive,” declared Frederik Braun, Firefox security engineer, in a post to a discussion of Mozilla’s views about proposed browser technologies. “We are convinced of the track record that Trusted Types has in terms of preventing DOM-based XSS on popular websites.”
Mozilla won’t implement Trusted Types in Firefox immediately – there are still some technical issues to sort out. But the org’s decision is a win for web security, which has been looking up since May 2020 when Trusted Types shipped in Chrome 83 and Edge 83. Opera (based on the open source Chromium project, like Edge) added support in June 2020.
Trusted Types addresses DOM-XSS, or document object model cross-site scripting – considered to be both rather dangerous and fairly common. Ranked first among the OWASP Top Ten Web Application Security Risks in 2017 – under the category “Injection” – XSS attacks slipped to the third most common vulnerability by 2021. And XSS attacks should become less common as more websites revise their code to take advantage of Trusted Types.
“Trusted Types offers an (optional) mechanism for web sites to protect themselves against XSS (cross-site scripting) attacks,” explained Daniel Vogelheim, a Google software engineer, in a Blink developer mailing list post back in 2018, when the feature was about to be tested.
“Those types of attacks stem from implementation oversights that allow user-controlled (and therefore attacker-controlled) string data to slip through into parts of the DOM where they are interpreted as JavaScript (or script-equivalent).”
Or, as Vogelheim continued, they are made possible when developers fail to sanitize their app’s inputs.
For example, the .innerHTML
property, which gets or sets the text for the associated element, can be used to execute code (in this case an alert popup):
const name = "<img src='x' onerror='alert(1)'>"; el.innerHTML = name; // shows the alert
With Trusted Types enabled, the browser expects a TrustedHTML object instead of a text snippet.
Trusted Types addresses the risk of unsafe input by limiting the attack surface via Content Security Policy and a content filtering mechanism. And since the capability first showed up three years ago, DOM-XSS attacks have become less common in the Chromium ecosystem.
In an October post to the GitHub repo discussing Mozilla’s positions on various technologies, Vogelheim notes that Google expects to effectively eliminate DOM-XSS risk as it deploys Trusted Types across all of Google’s websites.
“XSS used to be a significant problem at Google, making up 30 percent of overall VRP [Vulnerability Rewards Program] rewards in 2018,” he noted. “In 2023, they account for only 4.1 percent, all for bugs reported against properties that have not migrated to Trusted Types yet. In the past three years, we have not received a single XSS (in VRP; in the wild; or through [our] own research) for a Trusted Types-enabled Google property.”
In a 2021 report [PDF] on Trusted Types, Krzysztof Kotowicz, an information security engineer at Google, wrote, “To date, we have observed zero DOM-XSS in Google applications migrated to Trusted Types.”
Bartosz Niemczura, software engineer at Meta, echoed Google’s enthusiasm in the Mozilla standards discussion thread, stating, “At Meta, we see Trusted Types as a useful security mechanism as well. I believe that broader support across browsers and broader deployment across websites would be beneficial to the web platform overall.”
Toward that end, Niemczura pointed to a post he made in May urging Apple’s WebKit team to consider adopting Trusted Types based on successful deployment by Google, Meta, and Microsoft across various websites. Currently, Trusted Types is present or enforced in about ten percent of Chrome web page loads.
Bruce Perens, a veteran programmer and one of the founders of the Open Source movement, expressed enthusiasm for the technology after deploying it.
“I’ve implemented Trusted Types on a web app, and I felt they were really helpful in identifying lots of ‘injection sites’ where a cross-site scripting attack could happen, and requiring me to provide a filter or some other way of securing user input that got there,” he wrote in an email to The Register.
Perens said that while Trusted Types are only enforced in some browsers, developers should adapt their web app code to support the XSS defense because he believes Firefox, Safari, and other browsers will eventually include the technology.
“The web obviously evolved through a whole bunch of pieces being stacked on previous work as an afterthought, manipulation of the DOM, the document object model, by Javascript being the biggest addition to the simple HTML of the early web,” Perens said. “The addition of Trusted Types helps to close security holes that were created by that early work. But a competent programmer is required to take advantage of this – cross-site scripting will still be possible if a website doesn’t use Trusted Types.” ®