I don't think you can build applications without using the dangerous sinks at all yet. Some common scenarios we know are common: window.open href Setting text on a script element Setting src of a script element…
Trusted Types aim to prevent the injection, XSS-y CSP directives (script-src etc) act as an XSS exploit mitigation that fires after the injection is already there. So, for example, even if the JS execution is stopped,…
Well, the age of in-browser reflected xss filters is simply over. This was a flawed idea for multiple reasons, and they are thankfully now gone from Chrome and Edge…
Exactly. That said, because the API itself is typed, it is possible to have the runtime enforcement also verified when statically type-checking your application code (e.g. that innerHTML is passed a TrustedHTML value,…
Disclaimer: I'm working on the Trusted Types project in Google. To clarify, Trusted Types are not a replacement for XSS auditor. They are both related to XSS, but are fundamentally different and even target different…
That's a well researched problem, and is common in most JavaScript frameworks. In practice it makes it harder to protect applications using them against XSS. Check…
See https://github.com/google/end-to-end/wiki/Key-Distribution. In short, we don't invest much into WoT.
I'm an developer on E2E team as well and can confirm that there's no 'hardening' going on. E2E is, to the best of our knowledge and we have expressed what that exactly means in our threat model:…
One of the developers here: Yes, the Keyring reimplementation is in progress and ends very soon. After the redesign, applications built on top of E2E library will be able to use different sources of both public and…
As vague as is may sound, once we feel it's ready. The development is active, but there is still a lot of work to make the project release-ready. You might help too - we started accepting external contributions recently…
Symmetric encryption key (Km in the article) get encrypted separately with Alice, Bob, Sam and Joe public keys and then all those encrypted keys get concatenated with the message.
That's this bug: https://code.google.com/p/end-to-end/issues/detail?id=121 , it will get fixed after weekend. Disclaimer: I'm a member of E2E team.
I don't think you can build applications without using the dangerous sinks at all yet. Some common scenarios we know are common: window.open href Setting text on a script element Setting src of a script element…
Trusted Types aim to prevent the injection, XSS-y CSP directives (script-src etc) act as an XSS exploit mitigation that fires after the injection is already there. So, for example, even if the JS execution is stopped,…
Well, the age of in-browser reflected xss filters is simply over. This was a flawed idea for multiple reasons, and they are thankfully now gone from Chrome and Edge…
Exactly. That said, because the API itself is typed, it is possible to have the runtime enforcement also verified when statically type-checking your application code (e.g. that innerHTML is passed a TrustedHTML value,…
Disclaimer: I'm working on the Trusted Types project in Google. To clarify, Trusted Types are not a replacement for XSS auditor. They are both related to XSS, but are fundamentally different and even target different…
That's a well researched problem, and is common in most JavaScript frameworks. In practice it makes it harder to protect applications using them against XSS. Check…
See https://github.com/google/end-to-end/wiki/Key-Distribution. In short, we don't invest much into WoT.
I'm an developer on E2E team as well and can confirm that there's no 'hardening' going on. E2E is, to the best of our knowledge and we have expressed what that exactly means in our threat model:…
One of the developers here: Yes, the Keyring reimplementation is in progress and ends very soon. After the redesign, applications built on top of E2E library will be able to use different sources of both public and…
As vague as is may sound, once we feel it's ready. The development is active, but there is still a lot of work to make the project release-ready. You might help too - we started accepting external contributions recently…
Symmetric encryption key (Km in the article) get encrypted separately with Alice, Bob, Sam and Joe public keys and then all those encrypted keys get concatenated with the message.
That's this bug: https://code.google.com/p/end-to-end/issues/detail?id=121 , it will get fixed after weekend. Disclaimer: I'm a member of E2E team.