archive/rsnext
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
rsnext/packages
History
Justin Goping 44c89e50c8
Route Loader Trusted Types Violation Fix (#34730) 
Linked to issue #32209.

## Feature

- [ ] Implements an existing feature request or RFC. Make sure the feature request has been accepted for implementation before opening a PR.
- [x] Related issues linked using `fixes #number`
- [ ] Integration tests added
- [ ] Documentation added
- [ ] Telemetry added. In case of a feature if it's used or not.
- [ ] Errors have helpful link attached, see `contributing.md`

## Documentation
There is one tsec violation that is fixed in this PR:
### 1. ban-script-src-assignment: route-loader.ts
XSS can occur with the line script.src = src in appendScript(src, script) if src can be controlled by a malicious user. From tracing through the code, it was determined that src comes from the function `getFilesForRoute(route)`. The behaviour of this function differs depending on the environment (development vs. production), but in both cases the function will construct strings that lead to valid file paths. These strings depend on two variables: `assetPrefix` and `route`, but due to the nature of the constructed strings it was determined that the scripts here are safe to use. Thus, the solution was to promote these strings to `TrustedScriptURL`s. This is the Trusted Types way of declaring that the script URL passed to the DOM sink is safe from DOM XSS attacks.

To create a `TrustedScriptURL`, a policy needs to be created. This policy was put in its own file: `client/trusted-types.ts`. This policy has the name `nextjs`. If this name should be changed to something else, feel free to change it now. However, once it is released to the public and application developers begin using it, it may be harder to change the value since any application developers with a custom policy name allowlist would now need to update their `next.config.js` headers to allow this new name.

The code was tested in a sample application to ensure it behaved as expected.
2022-05-03 23:22:08 +00:00
..
create-next-app v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
eslint-config-next v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
eslint-plugin-next v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next Route Loader Trusted Types Violation Fix (#34730) 2022-05-03 23:22:08 +00:00
next-bundle-analyzer v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-codemod v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-env v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-mdx v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-plugin-storybook v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-polyfill-module v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-polyfill-nomodule v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
next-swc v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
react-dev-overlay v12.1.7-canary.1 2022-05-03 16:02:45 -05:00
react-refresh-utils v12.1.7-canary.1 2022-05-03 16:02:45 -05:00