koto · February 9, 2021 11:08 · shhnjk · Feb 9, 2021
diff --git a/ttandsanitizer.js b/ttandsanitizer.js
 // Sanitizer can produce TrustedHTML as long as its configuration respects sinks guarded by TT. 
 // (HTML sinks are only guarded because they themselves could bypass restrictions of script.src etc.)
 // With the current sanitizer API (no XSS is possible via config), and current TT API (only native XSS sinks are guarded), 
 // Sanitizer can always produce a TrustedHTML.

 trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div><script>removeme</script>') // yay!

 // If Web APIs add new native XSS sinks, they should be added simultaneously to TT and Sanitizer

 // Speculatively, in the future, if TT could guard other custom sinks in the DOM:

 // E.g. let's imagine we can block [data-trustedscript-*]  attributes like so:
 // Perhaps this should work by default, and not be configurable, or the configuration is in the header.
 trustedTypes.strawman.requireTrustedTypeForDataAttributesWithThePrefix('trustedscript', 'TrustedScript') 
 
 // From now on, the default sanitizer should not "just" produce TrustedHTML. 
 // Payloads that contain the restricted sinks should not be produced by the santiizer (it'd be a bypass).

 // Throws a TT violation (or calls a default policy?)
 trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div data-trustedscript-sneaky=evil></div>') 
 // Throws, just like el.innerHTML, or DOMParser.parseFromString (mabe call a default policy?)
 nodes = (new Sanitizer()).sanitizeToNodes('<div data-trustedscript-sneaky=evil></div>') 
 // Doesn't _need_ to throw, but not throwing would be surprising. (maybe call a default policy?)
 string = (new Sanitizer()).sanitizeToString('<div data-trustedscript-sneaky=evil></div>') 

 // But we can configure the sanitizer to respect TT and produce TrustedHTML again.
 trustedHTML = (new Sanitizer({
  blockAttributes: {"data-trustedscript-sneaky": ["*"]}
 })).sanitizeToTrustedHTML('<div data-trustedscript-sneaky=evil></div>') // works, as no sink was touched.
	// Sanitizer can produce TrustedHTML as long as its configuration respects sinks guarded by TT.
	// (HTML sinks are only guarded because they themselves could bypass restrictions of script.src etc.)
	// With the current sanitizer API (no XSS is possible via config), and current TT API (only native XSS sinks are guarded),
	// Sanitizer can always produce a TrustedHTML.

	trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div><script>removeme</script>') // yay!

	// If Web APIs add new native XSS sinks, they should be added simultaneously to TT and Sanitizer

	// Speculatively, in the future, if TT could guard other custom sinks in the DOM:

	// E.g. let's imagine we can block [data-trustedscript-*] attributes like so:
	// Perhaps this should work by default, and not be configurable, or the configuration is in the header.
	trustedTypes.strawman.requireTrustedTypeForDataAttributesWithThePrefix('trustedscript', 'TrustedScript')

	// From now on, the default sanitizer should not "just" produce TrustedHTML.
	// Payloads that contain the restricted sinks should not be produced by the santiizer (it'd be a bypass).

	// Throws a TT violation (or calls a default policy?)
	trustedHTML = (new Sanitizer()).sanitizeToTrustedHTML('<div data-trustedscript-sneaky=evil></div>')
	// Throws, just like el.innerHTML, or DOMParser.parseFromString (mabe call a default policy?)
	nodes = (new Sanitizer()).sanitizeToNodes('<div data-trustedscript-sneaky=evil></div>')
	// Doesn't _need_ to throw, but not throwing would be surprising. (maybe call a default policy?)
	string = (new Sanitizer()).sanitizeToString('<div data-trustedscript-sneaky=evil></div>')

	// But we can configure the sanitizer to respect TT and produce TrustedHTML again.
	trustedHTML = (new Sanitizer({
	blockAttributes: {"data-trustedscript-sneaky": ["*"]}
	})).sanitizeToTrustedHTML('<div data-trustedscript-sneaky=evil></div>') // works, as no sink was touched.