-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reliable to use on XSS-disabled sites? #23
Comments
Can you elaborate on what you mean by XSS blocking? The polyfill does use eval, yes. While this is certainly less secure than the browser implementations of Paint Worklet, the increase in surface area is the same: CSS Custom Paint makes it possible for CSS to trigger JavaScript execution via |
@developit Thanks for your response. I'm working on something related to Paint now. So in other words, using |
I wouldn't say it's as secure as the browser implementation, no. The eval usage here is part of a simple sandboxed environment where Paint Worklet code runs. In the browser implementation, that is done using a separate realm that makes it impossible for Paint Worklet code to access the document or global scope of a web page. In the polyfill, a malicious Paint Worklet could easily break out of this sandbox. The security implications of this depend on how you use Paint Worklets. If you only ever load Worklets your have authored or installed and load them from your own domain, there isn't really an increased security risk associated with the polyfill's use of eval(). However, if you were to load remote Paint Worklets, these could bypass the polyfill's sandbox and access your page. So, if you are able to trust the code/url you're passing to CSS.paintWorklets.addModule(), the risk is probably tolerable. If you can't trust that code, even without the polyfill present, it's likely too high risk. |
@developit Thanks for clarifying! That answers my question. |
Will this polyfill work reliably in sites/environments which block XSS. I see the script creates and uses an
eval()
which I am thinking might get flagged and blocked by one of these XSS blockers.The text was updated successfully, but these errors were encountered: