Trusted Types api: Η Google δημιούργησε ένα νέο API το οποίο θα βοηθήσει το Chrome να καταπολεμήσει ορισμένους τύπους επιθέσεων cross-site scripting (XSS), προσθέτοντας ένα άλλο επίπεδο protections at the browser level.
This new feature is called Trusted Types and is a browser API Chrome which Google has been working on in recent months.
The company's developers plan to test the Trusted Types API throughout 2019, between Chrome 73 and Chrome 76, before enabling it as a permanent security feature for all users of Chrome later this year.
Αυτό το νέο χαρακτηριστικό ασφάλειας αναπτύχθηκε με σκοπό την protection των χρηστών από έναν από τους τρεις τύπους ελαττωμάτων cross-site scripting, DOM-based (or type-0) XSS.
A detailed analysis of the three XSS types available here, for readers who want to learn more about XSS.
Basically, DOM based XSS is a vulnerability που βρίσκεται στον πηγαίο κώδικα ενός ιστότοπου. Οι hackers εκμεταλλεύονται τα λεγόμενα injection points για να εισάγουν κώδικα στο DOM του προγράμματος περιήγησης (πηγαίο κώδικα της σελίδας) για να εκτελεί ανεπιθύμητες κακόβουλες functions, such as stealing cookies, manipulating page content, redirecting users, etc.
The Trusted Types API will prevent such attacks by allowing page owners to lock known "injection points" into a site's code, which is often the root cause of DOM-based XSS.
Webmasters will be able to enable the imminent protection of Chrome Trusted Types by assigning a specific value to the Content Security Policy (CSP) HTTP response header.
Once activated, the access at DOM injection points will be limited by Chrome's built-in Trusted Types API, preventing any attacks before XSS code leverages the DOM page's source code to attack users.
A tutorial on how website owners can enable the Trusted Types API via the Content Security Policy (CSP) HTTP response header and how users can configure Chrome to uses the first versions of the API is available at Google Developers blog.