Specification Enhancement: Add blob navigation enforcement to Trusted Types #599
Description
Executive Summary
A critical security enhancement to the Trusted Types specification is proposed to address DOM XSS bypasses that exploit blob: URL navigations. Currently, the specification does not explicitly define the security semantics for navigating to a blob URL. This creates a vulnerability where attacker-controlled content can be executed within a trusted origin's context, bypassing require-trusted-types-for 'script' enforcement.
Problem Statement & Evidence
The fundamental issue is that the security properties of a blob's content are not maintained or re-evaluated upon navigation. As highlighted in Chromium developer discussions, treating a blob created from trusted input as inherently safe is a flawed assumption. This oversight effectively creates a form of stored XSS within the browser's blob storage.
Attack Scenario:
// PoC demonstrates the bypass
const maliciousHTML = `<script>/* XSS payload */</script>`;
const blob = new Blob([maliciousHTML], {type: 'text/html'});
const blobURL = URL.createObjectURL(blob);
// Navigation to blobURL executes the script in the creator's origin,
// bypassing Trusted Types policies enforced on the parent document.
window.location = blobURL;This and similar patterns are documented in public proof-of-concept collections, such as shhnjk/cursed_types on GitHub, and are acknowledged as a valid bypass vector.
Furthermore, threat actors are actively weaponizing blob: URLs for phishing and malware delivery in real-world scenarios. By hosting ephemeral malicious documents, they can evade network-level scanners, a trend documented by Cofense Intelligence. This underscores the urgent need to strengthen their security model.
Proposed Solution: Verifiable Provenance for Blob URLs
To address this, an extension of the Trusted Types model is proposed to include a verifiable provenance mechanism for blob URLs. This approach moves beyond treating opaque UUIDs as security tokens and instead associates a signed, tamper-evident token with each blob.
1. Provenance Token:
When a blob is created using URL.createObjectURL(), the browser should generate and store a compact, signed provenance token containing:
- Creator Origin: The origin of the document that created the blob.
- Trusted Types Policy Metadata: If created from a
TrustedHTMLobject, include the policy name and a hash of the policy's code. - Timestamp and Nonce: To prevent replay attacks and manage the token's lifetime.
- Signature: An HMAC or other signature to ensure the token's integrity.
This structure is inspired by the W3C PROV model, which provides a standardized way to represent provenance.
2. Navigation-Time Enforcement:
When navigation to a blob: URL is initiated, the browser must perform the following checks:
- Retrieve the associated provenance token.
- Verify the signature to ensure the token has not been tampered with.
- Validate the creator origin against the navigating context's origin and cross-origin policies (COOP/COEP).
- Check Trusted Types Policy: If the destination context enforces Trusted Types, the browser must verify that the blob's policy metadata is present and matches the current enforcement rules.
- Fail-Secure: If any check fails (e.g., no provenance, invalid signature, policy mismatch), the navigation must be blocked or redirected to a sandboxed context.
3. CSP Integration:
A new Content Security Policy (CSP) directive is proposed to control this behavior:
Content-Security-Policy: trusted-types-blob-navigation 'enforce';
This directive allows sites to opt into strict enforcement, ensuring backward compatibility while providing a clear path for enhanced security.
Next Steps & Community Engagement
This proposal is intended to initiate a discussion within the Web Application Security Working Group. It aligns with the ongoing evolution of Trusted Types and the broader trend in browser security to tighten controls around pseudo-schemes like blob:. We are prepared to contribute to the specification text, provide a reference implementation report based on our work in Chromium, and develop Web Platform Tests (WPTs) to ensure cross-browser consistency.