Trusted Types

[Malvoz]

Consider adding the trusted-types and require-trusted-types-for directives.

[kingthorin]

Google CSP evaluator is already including it and Chrome, Edge, Opera and Android browsers are supporting it.

Ref: zaproxy/zaproxy#6602

[kingthorin]

Any chance this will be added/handled anytime soon?

[kingthorin]

Or is there something I could model it after and raise a PR?

[kingthorin]

@bakkot Any tips on tackling this one? I think I’m ready to give it a shot. I can start totally in the dark but any tips to make the PR require potentially less review/revision would be wonderful.

[bakkot]

The process will be basically

• define new Value kinds for new directive values which are more complex than just a boolean. At a glance, you probably want a special Value kind for tt-policy-name, but the others look like they can be handled as booleans on the directive.
• define new Directives kind for both new directives ("trusted-types" and ("require-trusted-types-for")
  • add helpers to allow reading and writing their attributes, and ensure that updating keeps their internal values field up to date (by using the addValue and removeValueIgnoringCase helpers, mainly)
• update the parser to handle them
• add tests
• optionally add helpers for queries like "Should Trusted Type policy creation be blocked by Content Security Policy?", though these aren't so important.

The main challenges in my experience is figuring out what the spec is trying to say and whether that's actually what browsers do. For example, it says the syntax is defined by an ABNF, which means keywords are case-insensitive ("ABNF strings are case insensitive"). So per spec, 'ALLow-DUPlicATES' is a legal way to write 'allow-duplicates'. Is that actually intentional? Is that what browsers do? Gotta check. Similarly, are policy names case-sensitive or not? That affects the representation and especially the manipulation of those Values.

[kingthorin]

Thank you!

[kingthorin]

I've started and given up on this a few times. If someone else feels like giving it a go please don't wait on me coming through 😞