There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Mozilla decides Trusted Types is a worthy security feature

• Mozilla plans to implement Trusted Types in Firefox to reduce web attacks relying on injected code.

• Trusted Types has been successful in preventing DOM-based XSS on popular websites.

• As more websites adopt Trusted Types, XSS attacks are expected to become less common.

DacoTaco , (edited )
@DacoTaco@lemmy.world avatar

I had no idea trusted types existed, and took a while to realise the w3 docs was confusing as hell.
But mozilla to the rescue : developer.mozilla.org/en-US/…/Trusted_Types_API

So it boils down to a javascript api to santize a string before using it in a plathora of javascript functions that interact with the DOM. Neat, but if the developer has to make the policy themselves i dont see the added bonus to this. XSS seems to be still possible if the policy is made incorrectly?

Edit : or am i reading the example wrong and the developer defined code is on top of whatever the api does with the string? I also dont understand why the browsers implementation of innerHtml couldnt just automatically apply whatever that policy does…

IHeartBadCode ,
@IHeartBadCode@kbin.social avatar

For those looking for Mozilla's back and forth on this since 2017.

Aatube ,
@Aatube@kbin.social avatar

Not much of a surprise given how they removed GTK theming from thunderbird and maybe Firefox

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •