when you browser some websites. which contains an iframe dynamically loaded by javascript. It will throw an error This document requires 'TrustedScript' assignment.

Hey, I stumbled upon a similar issue as #1 (This document requires 'TrustedScriptURL' assignment.) for websites that leverage web workers. It seems that Chrome isn't using the default policy as a fallback in case strings are passed to importScripts() resulting in errors since the CSP enforces trusted types.

The minimal POC to reproduce this is:

index.html

<!doctype html>
<html>
<head>
    <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
</head>
<body>
<script>
trustedTypes.createPolicy('default', {
  createHTML: string => string,
  createScript: string => string,
  createScriptURL: string => string
});

var worker = new Worker("script1.js");

</script>

script1.js

console.log('hi, from script1.js');
importScripts('script2.js');

script2.js

console.log('hi, from script2.js');

Here's a live version http://165.227.165.4/web-worker-trusted-types/index.html

I couldn't find much information regarding this behaviour, however, my gut feeling tells me this might be a bug in Chrome, but I'm not too familiar with web workers (and how they work with trusted types). Just thought that I'll mention it here if others run into it (not sure there is anything the extension could do in these cases).

Hey, first of all, thanks for making this extension.
While using it I found that on some websites the console gets cluttered and sometimes it's easy to get lost in the logs. I thought it'd nice if there was a panel in DevTools where you could filter or search the logs, just like the Network panel.
I initially wanted to do a PR, but I kept adding more stuff and added Svelte+TypeScript for the UI, so I thought it might be better if I publish it into a separate repo, or let me know what you think...

The new features are:
Panel in DevTools, where you can:

• filter by sink type
• filter by code in the input
• choose to preserve log after navigation/reload
• clear the log
• modify settings (which are saved in chrome.storage)
  • all the original settings (list of keywords, list of source/any call stack substrings to ignore, trace limit, only log highlighted) +
  • highlighting options (it uses Document.execCommand hiliteColor for highlighting, which is slow, but works)
  • group the console.trace/logs in console using console.group to keep the console a bit more tidy
• view found sinks
  • with syntax highlighted input code
  • or open the code in a popup window
  • the href url
  • the stack trace
    • The stack trace is a bit unfortunate since it can't be formatted nicely with clickable links (as console.trace does), but as an alternative I've given each stack trace a unique ID which you can copy by clicking it, and then just filter by the ID in console to find it. Obviously that won't work if you clear the console, but other than that is should work fine.

Injected script
Since the chrome.storage are all asynchronous I thought it wouldn't be possible to fetch the settings in the injected script, but it's actually possible to intercept the settings.json XMLHttpRequest, and redirect the request to data:application/json,{settings:...}, will gives us synchronous access to the dynamic settings directly in the injected script.
The injected script <> extension communication is via postMessages, which is also not ideal, but seems to be the only possible way.

Here's a screenshot of the DevTools panel:

The repository can be found at: https://github.com/ThomasOrlita/untrusted-types-devtools

Thanks!

Hello

I've been using this tool for quite a while now, and one thing that I feel is missing, is a notification once one of the predefined keywords are detected by untrusted-types.
It would be extremely helpful, since untrusted-types only has an interface located in the developer tools. That way, I won't have to keep checking, or leave the developer tools open while looking for potential dom-based cross-site scripting issues.

Thanks!

UNTRUSTED_TYPES_CHECK_STACK_BELOW:27 Uncaught ReferenceError: trustedTypes is not defined
at UNTRUSTED_TYPES_CHECK_STACK_BELOW:27
at UNTRUSTED_TYPES_CHECK_STACK_BELOW:36
(anonymous) @ UNTRUSTED_TYPES_CHECK_STACK_BELOW:27
(anonymous) @ UNTRUSTED_TYPES_CHECK_STACK_BELOW:36
content.js:53 Unrecognized Content-Security-Policy directive 'require-trusted-types-for'.

The following should be URL encoded:
https://github.com/filedescriptor/untrusted-types/blob/main/src/background.ts#L24

Otherwise if you have a setting with %22 it would break the JSON .parse.

First of all, congrats on the impressive and creative use of Trusted Types!

I noticed, while trying to follow along your video here, specifically the part on where you're demoing using the keyword d0mxss in the input field on http://prompt.ml/1, that the functionality described here doesn't seem to be working for me.

I have no errors in my console and even tried with all other extensions disabled .

Chrome version: 87.0.4280.67 (Official Build) (x86_64)
Untrusted-types version: 0.0.1

Currently, Trusted Types only covers location = 'javascript:' + user_input but not location = user_input and other similar things that trigger navigation. I believe they are common sinks so we don't want to miss them.

It is not possible to hook into the assignment call either. location.__defineSetter__() doesn't work because most properties are read-only. However, it is possible to use the debug() function from DevTools' console (monitor() doesn't work, sadly).

I will see if introducing this change would break anything.

ive tried many sites i use the d0mxss input and see nothing