Conversation

Daniel Micay

@DanielMicay

I didn't realize trusted-types: 'none' could be added to explicitly forbid creating Trusted Types policies. https://twitter.com/shhnjk/status/1375495865926787073… Added it to the global policy for https://attestation.app and https://grapheneos.org in addition to baseline require-trusted-types-for 'script'.

Quote Tweet

Jun Kokatsu

@shhnjk

·

Mar 26, 2021

The story about how we killed XSS from Edge internal pages https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/…

7:44 PM · Mar 26, 2021·Twitter Web App

1

Retweet

8

Likes

Daniel Micay

@DanielMicay

·

Mar 26, 2021

Replying to

@DanielMicay

The zip library used for the web installer doesn't support Trusted Types yet so we're not using it for the https://grapheneos.org/install/web page yet. Something to do with the way the zip library (https://github.com/nodeca/pako) uses web workers. Don't have resources to improve that for them...

grapheneos.org

GrapheneOS web installer

Web-based installer for GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

1

3

Daniel Micay

@DanielMicay

·

Mar 27, 2021

https://github.com/gildas-lormeau/zip.js… uses that lower-level DEFLATE library via web workers. The way it's being done is dynamic and results in a Trusted Types violation. It'd ideally be changed to work without needing a Trusted Types policy. Don't have time to look into it but someone could.

github.com

GitHub - gildas-lormeau/zip.js: JavaScript library to zip and unzip files supporting multi-core...

JavaScript library to zip and unzip files supporting multi-core compression, compression streams, Zip64 and encryption. - GitHub - gildas-lormeau/zip.js: JavaScript library to zip and unzip files s...

2