Visible to the public Adopting Trusted Types in ProductionWeb Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study

TitleAdopting Trusted Types in ProductionWeb Frameworks to Prevent DOM-Based Cross-Site Scripting: A Case Study
Publication TypeConference Paper
Year of Publication2021
AuthorsWang, Pei, Guðmundsson, Bjarki Ágúst, Kotowicz, Krzysztof
Conference Name2021 IEEE European Symposium on Security and Privacy Workshops (EuroS PW)
KeywordsAPI, APIs, Application program interface, application program interfaces, Application Programming Interface (API), codes, composability, compositionality, Costs, Cross Site Scripting, cross-site scripting, HTML, Human Behavior, Proposals, pubcrawl, resilience, Resiliency, Scalability, security, trusted types, web security
AbstractCross-site scripting (XSS) is a common security vulnerability found in web applications. DOM-based XSS, one of the variants, is becoming particularly more prevalent with the boom of single-page applications where most of the UI changes are achieved by modifying the DOM through in-browser scripting. It is very easy for developers to introduce XSS vulnerabilities into web applications since there are many ways for user-controlled, unsanitized input to flow into a Web API and get interpreted as HTML markup and JavaScript code. An emerging Web API proposal called Trusted Types aims to prevent DOM XSS by making Web APIs secure by default. Different from other XSS mitigations that mostly focus on post-development protection, Trusted Types direct developers to write XSS-free code in the first place. A common concern when adopting a new security mechanism is how much effort is required to refactor existing code bases. In this paper, we report a case study on adopting Trusted Types in a well-established web framework. Our experience can help the web community better understand the benefits of making web applications compatible with Trusted Types, while also getting to know the related challenges and resolutions. We focused our work on Angular, which is one of the most popular web development frameworks available on the market.
DOI10.1109/EuroSPW54576.2021.00013
Citation Keywang_adopting_2021