Frederik Braun �
New blog post: Perfect types with `setHTML()` - https://frederikbraun.de/perfect-types-with-sethtml.html - TLDR: Use require-trusted-types-for 'script'; trusted-types 'none'; in your CSP and nothing besides setHTML() works, essentially removing all DOM-XSS risks....
Perfect types with `setHTML()`

Perfect types with `setHTML()`

Frederik Braun
Mar 7 at 9:37pmWeb
Show threadFrederik Braun �Mar 7
ht @shhnjk ;)
Show threadLukeMar 7
@freddy fyi there's a minor typo with your csp string under the Trusted Types heading. You're missing the closing the ';
Show threadFrederik Braun �Mar 7
@Lukew fixed, thanks. (and this is why nobody should be writing content security policies :))
Show threadTom SchusterMar 7
@freddy How is 3. a concern, if you can't parse any strings?
Show threadFrederik Braun �Mar 7
@evilpie right.. 😅
Show threadFrederik Braun �Mar 7
@evilpie would be pretty bad if repeatedly parsing through setHTML could even have that issue. thanks.
Show threadTom SchusterMar 7
@freddy yeah. I am glad you published this idea as blog post.
Show threadMike CardwellMar 8
@freddy Nice. I have updated the CSP for https://www.grepular.com/ with this
Show threadFrederik Braun �Mar 8
@grepular nice!