Google working on new Chrome security feature to 'obliterate DOM XSS'

Google announces Trusted Types browser API, a new defense against DOM-based XSS attacks.
Written by Catalin Cimpanu, Contributor

Google has created a new browser API that will help Chrome fight certain types of cross-site scripting (XSS) vulnerabilities, adding another level of protection at the browser level to keep users safe from hacking attempts.

This new feature is called Trusted Types and is a browser API that Google has been working on for the past months.

The company's engineers plan to test Trusted Types throughout 2018, between Chrome 73 and Chrome 76, before rolling out and enabling it as a permanent security feature for all Chrome users later in the year --if all goes as planned.

This new security feature was developed with the intent to protect users against one of the three types of cross-site scripting flaws --namely DOM-based (or type-0) XSS.

The other two XSS types are "reflected" and "stored." A detailed breakdown of all three XSS types is available here, for readers looking to learn more on XSS.

Basically, DOM-based XSS is a security vulnerability that resides in the source code of a website. Hackers leverage so-called injection points to insert code in the browser's DOM (the page's source code) that executes unwanted malicious operations --like stealing cookies, manipulating page content, redirecting users, etc..

Trusted Types will block such attacks by allowing websites owners to lock down known "injection points" in a website's code that are often the root cause of DOM-based XSS.

Website owners can enable Chrome's Trusted Types upcoming protection by setting a certain value in the Content Security Policy (CSP) HTTP response header.

Once enabled, access to DOM injection points will be restricted by Chrome's built-in Trusted Types API, blocking any attacks before the XSS exploit code can leverage the DOM (page's source code) to attack users.

A tutorial on how website owners can enable Trusted Types via CSP headers, and how users can configure Chrome to use early versions of the Trusted Types API is available on the Google Developers blog.

In the same tutorial, Krzysztof Kotowicz, a Software Engineer in the Information Security Engineering team at Google, was so confident of the Trusted Types API's success that he claimed this new feature would "help obliterate DOM XSS."

More info on the Trusted Types API is available in the Web Platform Incubator Community Group (WICG) official specification.

Trusted Types will be Chrome's second XSS protection feature after XSS Auditor, which Google shipped with Chrome 4 way back in 2010.

According to an Imperva report published last month, XSS vulnerabilities were the most prevalent form of web-based attacks in 2014, 2015, 2016, and 2017. It was the second most common form of web-based attacks last year, only missing on the top position because of an uncommon spike in SQL injection attacks.

XSS vulnerabilities are often downplayed by companies and security experts because they don't always lead to direct damage to users accessing a site. However, they are often the first stepping stone in complex exploit routines, facilitating more damaging hacks. Eliminating XSS attacks would in many cases keep users safe from more complex attacks that wouldn't be possible without an initial foothold provided by XSS.

For example, this week, Bootstrap, a UI framework used by somewhere between 15 and 20 percent of all internet sites was impacted by a DOM-based XSS. That's a huge attack surface for any attacker today.

All the Chromium-based browsers

More browser coverage:

Editorial standards