Google has been working for months on a new Chrome feature that fights against DOM-based XSS attacks. This new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against certain cross-site scripting XSS vulnerabilities.
This feature adds another level of protection at the browser level to protect users from one of the three types of cross-site scripting vulnerabilities namely DOM-based XSS. The other two cross-site scripting vulnerabilities include Stored XSS and Reflected XSS.
What is DOM-based XSS?
DOM-based XSS is a cross-site scripting security vulnerability that exists in the source code of a website. Attackers leverage so-called injection points to insert code in the browser's source code in order to execute malicious operations such as stealing browser cookies, manipulating page content, redirecting users to a phishing site, etc.
How can Trusted Types protect users from DOM-based XSS?
Trusted Types will prevent DOM-XSS attacks by enabling websites owners to lock down known injection points in a website's source code which causes DOM-based XSS.
Website owners can enable Chrome's Trusted Types by setting a certain value in the Content Security Policy (CSP) HTTP response header.
Once enabled, access to DOM injection points will be restricted by Chrome's built-in Trusted Types API, blocking any attacks before the XSS exploit code can leverage the DOM (page's source code) to attack users.
In a tutorial on how website owners can enable Trusted Types, Krzysztof Kotowicz, a Software Engineer in the Information Security Engineering team at Google, claimed that this new feature would “help obliterate DOM XSS.”