Jump to content
Login new information ×
Login new information

Google has created a new browser API ‘Trusted Types’ to fight against DOM XSS attacks

The AchieVer

By The AchieVer
in Security & Privacy News

Recommended Posts

The AchieVer

The AchieVer

Posted
Posted

Google has created a new browser API ‘Trusted Types’ to fight against DOM XSS attacks

 

chrome,google,browser,laptop,firefox,alternative,computer,cursor,editorial,empty,engine,explorer,fast,free,home,homepage,illustrative,internet,lcd,logo,monitor,mouse,mozilla,online,page,screen,search,service,site,text,web
 
  • Google has been working for months on a new Chrome feature that fights against DOM-based XSS attacks.
  • The new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against XSS vulnerabilities.

Google has been working for months on a new Chrome feature that fights against DOM-based XSS attacks. This new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against certain cross-site scripting XSS vulnerabilities.

This feature adds another level of protection at the browser level to protect users from one of the three types of cross-site scripting vulnerabilities namely DOM-based XSS. The other two cross-site scripting vulnerabilities include Stored XSS and Reflected XSS. 

What is DOM-based XSS?

DOM-based XSS is a cross-site scripting security vulnerability that exists in the source code of a website. Attackers leverage so-called injection points to insert code in the browser's source code in order to execute malicious operations such as stealing browser cookies, manipulating page content, redirecting users to a phishing site, etc.

How can Trusted Types protect users from DOM-based XSS?

Trusted Types will prevent DOM-XSS attacks by enabling websites owners to lock down known injection points in a website's source code which causes DOM-based XSS.

Website owners can enable Chrome's Trusted Types by setting a certain value in the Content Security Policy (CSP) HTTP response header.

Once enabled, access to DOM injection points will be restricted by Chrome's built-in Trusted Types API, blocking any attacks before the XSS exploit code can leverage the DOM (page's source code) to attack users.

In a tutorial on how website owners can enable Trusted Types, Krzysztof Kotowicz, a Software Engineer in the Information Security Engineering team at Google, claimed that this new feature would “help obliterate DOM XSS.”

 

 

Source

Link to comment
Share on other sites
  • Views 312
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...