Many online services deal with sensitive information such as credit card data, making those applications a prime target for adversaries, e.g., through Cross-Site Scripting (XSS) attacks. Moreover, Web applications nowadays deploy their functionality via client-side code to lower the server’s load, require fewer page reloads, and allow Web applications to work even if the connection is interrupted. Given this paradigm shift of increasing complexity on the browser side, client-side security issues such as client-side XSS are getting more prominent these days. A solution already deployed in server-side applications of major companies like Google is to use type-safe data, where potentially attacker-controlled string data can never be output with sanitization. For client-side XSS, an analogous solution is offered by the newly introduced Trusted Types API. With Trusted Types, the browser enforces that no input can be passed to an execution sink without having been sanitized first. Thus, the only remaining task – in theory – for a developer is to create a proper sanitizer. This study aims to uncover roadblocks that occur during the deployment of the mechanism, as well as strategies on how developers can circumvent those problems, by conducting a semi-structured interview including a coding task with 13 real-world Web developers. Our work also identifies key weaknesses in the design and documentation of Trusted Types, which we urge the standardization body to incorporate before the Trusted Types becomes a standard.
Usenix Security Symposium (USENIX-Security)
2024-08-01
2024-08-30