The company is among those who fight against XSS attacks – one of the most common on the Web.
Mozilla announced plans to implement a web security technology called Trusted Types in its Firefox browser. This step is aimed at reducing the risk of attacks based on the introduction of malicious code. Firefox stated the company's positive attitude to the technology after a thorough analysis.
Trusted Types, first introduced in Chrome and Edge in May 2020, are designed to combat cross-site Scripting (XSS) attacks, which are among the most dangerous and widespread on the Internet. Such attacks, which ranked first in the OWASP Top Ten ranking in 2017, have fallen to third place by 2021, and it is expected that their prevalence will decrease due to the introduction of Trusted Types.
Trusted Types is a web security technology implemented in browser standards to combat cross-site scripting (XSS) vulnerabilities, especially those related to the Document Object Model (DOM). It provides an API that allows web applications to restrict access to potentially dangerous DOM APIs, such as innerHTML, outerHTML, document. write, and others that can be used to execute malicious code.
Instead of directly inserting strings that may contain malicious code, Trusted Types requires that data be processed through special objects called "Trusted Types". These types include TrustedHTML, TrustedScriptURL, TrustedScript, and others that ensure that data passed to dangerous DOM APIs has been properly validated and processed to prevent XSS attacks.
Developers can create these "trusted" types with the help of special creators, which allows them to control and filter user input or any data that can be used for an attack. Trusted Types integrates with the Content Security Policy (CSP), allowing site administrators to configure security policies that can enforce Trusted Types rules at the site-wide level.
Google notes a reduced risk of DOM-XSS attacks on its sites thanks to the introduction of Trusted Types. In 2018, XSS attacks accounted for 30% of all vulnerabilities in the Bug Bounty program, while by 2023 this figure has decreased to 4.1%.
Meta also expressed support for the technology, noting that the wider adoption of Trusted Types on websites will be beneficial for the entire web platform. The Open Source organization emphasized the usefulness of Trusted Types after implementing the option in a web application, noting that the technology helps identify potential points for cross-site scripting.
Although Trusted Types is not yet supported by all browsers, web application developers should adapt their code to protect against XSS attacks, as Firefox, Safari and other browsers are expected to eventually include this technology.
Mozilla announced plans to implement a web security technology called Trusted Types in its Firefox browser. This step is aimed at reducing the risk of attacks based on the introduction of malicious code. Firefox stated the company's positive attitude to the technology after a thorough analysis.
Trusted Types, first introduced in Chrome and Edge in May 2020, are designed to combat cross-site Scripting (XSS) attacks, which are among the most dangerous and widespread on the Internet. Such attacks, which ranked first in the OWASP Top Ten ranking in 2017, have fallen to third place by 2021, and it is expected that their prevalence will decrease due to the introduction of Trusted Types.
Trusted Types is a web security technology implemented in browser standards to combat cross-site scripting (XSS) vulnerabilities, especially those related to the Document Object Model (DOM). It provides an API that allows web applications to restrict access to potentially dangerous DOM APIs, such as innerHTML, outerHTML, document. write, and others that can be used to execute malicious code.
Instead of directly inserting strings that may contain malicious code, Trusted Types requires that data be processed through special objects called "Trusted Types". These types include TrustedHTML, TrustedScriptURL, TrustedScript, and others that ensure that data passed to dangerous DOM APIs has been properly validated and processed to prevent XSS attacks.
Developers can create these "trusted" types with the help of special creators, which allows them to control and filter user input or any data that can be used for an attack. Trusted Types integrates with the Content Security Policy (CSP), allowing site administrators to configure security policies that can enforce Trusted Types rules at the site-wide level.
Google notes a reduced risk of DOM-XSS attacks on its sites thanks to the introduction of Trusted Types. In 2018, XSS attacks accounted for 30% of all vulnerabilities in the Bug Bounty program, while by 2023 this figure has decreased to 4.1%.
Meta also expressed support for the technology, noting that the wider adoption of Trusted Types on websites will be beneficial for the entire web platform. The Open Source organization emphasized the usefulness of Trusted Types after implementing the option in a web application, noting that the technology helps identify potential points for cross-site scripting.
Although Trusted Types is not yet supported by all browsers, web application developers should adapt their code to protect against XSS attacks, as Firefox, Safari and other browsers are expected to eventually include this technology.
