-
Notifications
You must be signed in to change notification settings - Fork 9.5k
new_audit: mitigate dom-based xss with trusted types #16493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
cli/test/smokehouse/test-definitions/trusted-types-directive-present.js
Outdated
Show resolved
Hide resolved
Had to clean checkout and re-run yarn and build-all 🤷 Should be done now. |
The smoketest seems to fail depending in which environment it's being executed. |
A recent change to Chrome canary is causing those errors on RobotsTxt/source maps, it's being looked into now. |
This should cover all the tests failing that are related to this PR.
|
Since there's no changes need to the implementation, I'll just merge and fix on our end. Thanks! |
Summary
Adding a new audit to Lighthouse, which detects missing DOM-based XSS mitigation through the Trusted-Types directive in the Content-Security-Policy HTTP header.
Part of a larger change to introduce more similar header deployments.
Similar to the Clickjacking audit (#16290), the description contains a placeholder doc link until the internal doc is approved.
@adamraine FYI
🔒 design doc (googlers only, sorry)