GitXplorerGitXplorer
g

safevalues

public
111 stars
14 forks
42 issues

Commits

List of commits on branch main.
Unverified
184f6d81a34dd35e1f1f69ce72b87411a5d935fd

Downgrade the global attribute contracts for "cite" and "poster".

nneuracr committed a day ago
Unverified
5cde7cfd5462bdf0b775712b94edbe3bde8e1b87

Take a Document arg in `getStyleNonce` and `getScriptNonce`. Note: this should have been part of v1.0.0.

nneuracr committed 18 days ago
Unverified
94ed9d15b9e2285b62fda7bea8b3025aa83b727c

Automated Code Change

nneuracr committed 19 days ago
Unverified
c80c3cbe3a2011fe171fa5ee65dd5d3b2c9abb20

Drop the disclaimer.

nneuracr committed a month ago
Unverified
1bdeb7c406fa2a05af6e9d65fc30d72d29001325

Clean up some TODOs.

nneuracr committed a month ago
Unverified
696c5f56091785dcbba33898dfd6ae6e3dab219b

Use the new safevalues/dom in the internal implementations to have cleaner exports.

nneuracr committed a month ago

README

The README file for this repository.

safevalues

Safevalues is a library to help you prevent Cross-Site Scripting vulnerabilities in TypeScript (and JavaScript). It is meant to be used together with safety-web to provide strong security guarantees and help you deploy TrustedTypes and other CSP restrictions in your applications. Google has used these components together to reduce DOM XSS (paper), and we hope it will be useful in your codebase.

Features

Policy definition for building safe-by-construction Trusted Types

Trusted Types is a browser API that enables developers to control the values that can be assigned to XSS sinks. Developers need to define a Trusted Types policy to build these values, and then the Trusted Types API constraints these policies.

The Trusted Types API is not opinionated on what should be considered safe. It only acts as a tool for developers to mark values they can trust.

safevalues in contrast, defines functions that make security decisions on what is safe (by construction, via escaping or sanitization), so that developers who are not security experts don't need to.

safevalues produces Trusted Types (through its own policy) when available.

Additional types and functions for sinks not covered by Trusted Types

Some DOM APIs are not covered by Trusted Types, but can also be abused; leading to XSS or other security issues. Alternative security mechanisms such as the unsafe-inline CSP protection can help to secure these APIs, but not all browsers or apps support them.

safevalues defines additional types, builders, and setters to help protect these sinks.

DOM sink wrappers

To build a Trusted Types-compatible app and surface potential violations at compile time, we recommend that you lint your code with safety-web. safety-web bans certain DOM APIs. safevalues defines wrappers around these APIs which lets you assign Trusted Types with them.

Some wrappers don't require a particular type, but sanitize the argument they get before they assign it to the DOM sink (e.g. setLocationHref from safevalues/dom).

Trusted Types polyfills

Whenever possible, safevalues uses Trusted Types to build its values, in order to benefit from the runtime protection of Trusted Types. When Trusted Types is not available, safevalues transparently defines its own types and your app will continue to work.

Known issues

ReferenceError: Can't find variable: process

When using a bundler that performs dead-code elimination, you must ensure that process.env.NODE_ENV is declared globally with either a value of development or production. This is done in Webpack by specifying a mode, in Terser using the --define flag and in Rollup using the rollup-plugin-define plugin. See (#212).


Read on for more information on our APIs.