Skip to content

new_audit: mitigate dom-based xss with trusted types #16493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 39 commits into from
Jul 7, 2025

Conversation

sebastian9er
Copy link
Collaborator

@sebastian9er sebastian9er commented May 20, 2025

Summary
Adding a new audit to Lighthouse, which detects missing DOM-based XSS mitigation through the Trusted-Types directive in the Content-Security-Policy HTTP header.

Part of a larger change to introduce more similar header deployments.

Similar to the Clickjacking audit (#16290), the description contains a placeholder doc link until the internal doc is approved.

@adamraine FYI

🔒 design doc (googlers only, sorry)

@sebastian9er sebastian9er requested a review from a team as a code owner May 20, 2025 12:47
@sebastian9er sebastian9er requested review from connorjclark and removed request for a team May 20, 2025 12:47
@sebastian9er
Copy link
Collaborator Author

Had to clean checkout and re-run yarn and build-all 🤷

Should be done now.

@sebastian9er
Copy link
Collaborator Author

The smoketest seems to fail depending in which environment it's being executed.

@sebastian9er sebastian9er requested a review from connorjclark July 4, 2025 09:57
@connorjclark
Copy link
Collaborator

A recent change to Chrome canary is causing those errors on RobotsTxt/source maps, it's being looked into now.

@connorjclark
Copy link
Collaborator

This should cover all the tests failing that are related to this PR.

commit e264562e8c510e70e6775bd04ad417c8eb23f8de
Author: Connor Clark <cjamcl@gmail.com>
Date:   Mon Jul 7 11:41:52 2025 -0700

    update snapshots

diff --git a/core/test/scenarios/__snapshots__/api-test-pptr.js.snap b/core/test/scenarios/__snapshots__/api-test-pptr.js.snap
index 85c7364a5..7a3c129c7 100644
--- a/core/test/scenarios/__snapshots__/api-test-pptr.js.snap
+++ b/core/test/scenarios/__snapshots__/api-test-pptr.js.snap
@@ -157,6 +157,7 @@ Array [
   "third-party-summary",
   "total-blocking-time",
   "total-byte-weight",
+  "trusted-types-xss",
   "unminified-css",
   "unminified-javascript",
   "unsized-images",
@@ -337,6 +338,7 @@ Array [
   "third-party-summary",
   "total-blocking-time",
   "total-byte-weight",
+  "trusted-types-xss",
   "unminified-css",
   "unminified-javascript",
   "unsized-images",
diff --git a/third-party/devtools-tests/e2e/lighthouse/navigation_test.ts b/third-party/devtools-tests/e2e/lighthouse/navigation_test.ts
index d060c13a1..67d0deb8d 100644
--- a/third-party/devtools-tests/e2e/lighthouse/navigation_test.ts
+++ b/third-party/devtools-tests/e2e/lighthouse/navigation_test.ts
@@ -120,7 +120,7 @@ describe('Navigation', function() {
     });
 
     const {auditResults, erroredAudits, failedAudits} = getAuditsBreakdown(lhr, ['max-potential-fid']);
-    assert.strictEqual(auditResults.length, 175);
+    assert.strictEqual(auditResults.length, 176);
     assert.deepStrictEqual(erroredAudits, []);
     assert.deepStrictEqual(failedAudits.map(audit => audit.id), [
       'document-title',
@@ -205,7 +205,7 @@ describe('Navigation', function() {
     ];
 
     const {auditResults, erroredAudits, failedAudits} = getAuditsBreakdown(lhr, flakyAudits);
-    assert.strictEqual(auditResults.length, 175);
+    assert.strictEqual(auditResults.length, 176);
     assert.deepStrictEqual(erroredAudits, []);
     assert.deepStrictEqual(failedAudits.map(audit => audit.id), [
       'document-title',

@connorjclark
Copy link
Collaborator

connorjclark commented Jul 7, 2025

Since there's no changes need to the implementation, I'll just merge and fix on our end.

Thanks!

@connorjclark connorjclark reopened this Jul 7, 2025
@connorjclark connorjclark merged commit d345a8d into GoogleChrome:main Jul 7, 2025
30 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants