Trusted Types API: Google has created a new API that will help Chrome combat certain types attacks cross-site scripting (XSS), προσθέτοντας ένα άλλο επίπεδο προστασίας σε επίπεδο προγράμματος περιήγησης.
This new feature is called Trusted Types and is a browser API Chrome which Google has been working on in recent months.
The company's developers plan to test the Trusted Types API throughout 2019, between Chrome 73 and Chrome 76, before turning it on as a permanent security feature for all Chrome users later this year.
This new security feature was developed to protect users from one of three types of cross-site scripting vulnerabilities, DOM-based (or type-0) XSS.
A detailed analysis of the three XSS types available here, for readers who want to learn more about XSS.
Βασικά, το XSS που βασίζεται στο sun είναι μια ευπάθεια που βρίσκεται στον πηγαίο κώδικα ενός ιστότοπου. Οι hackers exploit so-called injection points to inject code into the browser's DOM (page source code) to perform unwanted malicious functions, such as theft of cookies, manipulation of page content, redirection of users, etc.
The Trusted Types API will prevent such attacks by allowing page owners to lock known "injection points" into a site's code, which is often the root cause of DOM-based XSS.
Webmasters will be able to enable the imminent protection of Chrome Trusted Types by assigning a specific value to the Content Security Policy (CSP) HTTP response header.
Once enabled, access to the DOM injection points will be restricted by Chrome's built-in Trusted Types API, preventing any attacks before the XSS code utilizes the DOM page source code to attack users.
A tutorial on how website owners can enable the Trusted Types API via the Content Security Policy (CSP) HTTP response header and how users can configure Chrome to use early versions of the API is available on Google Developers blog.