Trusted Types And NoScript

[Mad_Man_Moon]

Hiya, it's been a hot second since I said a thing ... since I was last here, though, I'm officially an integration engineer ... so ... that's nice!

Anyway, this is probably an "explain it to me like I am five" thing, but ... Trusted Types ... wot hel iz?

More specifically (but I despise specificity in most cases that are not work related) so ... y'know ... only use this if my rambling is too much, heh:

What Is NoScript's Interaction With 'Trusted Types' And Is It Purely To Allow NoScript To Run Properly, Or Is It To Protect Us?

I mean, I've read the Wikipedia piece at 'wiki/Cross-site_scripting#Emerging_defensive_technologies' and I do ostensibly get a broad picture ... they're like ... broad ways that a given piece of web infrastructure can 'ok' itself to be used, right? (or am I WAY off? ... heh)

But ... part of my head is saying ... isn't this another thing that could be used to hone fingerprinting and ... ... just who are the members of these 'blue teams' and ... arg ... whaaaa?

What Little I Have Learned

I have done a brief web searches (the aforementioned Wiki section being the height of that) and I also skimmed Mozilla's "Trusted_Types_API" page, I spent a bit of time in the presence of a PDF (on some German site) from Sebastian Lekies where they detail the inception and purpose of this when created with Krzysztof Kotowicz who pushed it forward without them. But I still don't really know if this is a thing that we potentially need protection FROM (ie. it is wholly benign and not ripe for exploitation) or if it is just another framework that helps secure interactions like those which NoScript improves (or, indeed, any) to improve security for the user.

Only thought I'd mention something because I noted that it was briefly mentioned in the update notes for "v 13.6.8" whenever that was released.

Background Info
This isn't a request for support, I am (as ever) just posting into the wind (as it were) and never expect or feel entitled to anyone's time, attention, or knowledge. what follows is not essential information, but if someone WAS accidentally viewing this thread as some odd stack exchange question (the worst place to ask anything ... heh ... all that "you are asking the wrong question" nonsense) then hopefully the below will either make that worse or better ... heh.

Startpage searching 'what are "trusted types"?' gave a lot of responses, obviously, including; the wiki entry, Mozilla's "Trusted_Types_API" page, the aforementioned PDF, and the W3 pages, too.

I could not see anything obvious in the forum (searching on either "trusted types" in the normal box or "+trusted +types" via advanced search - no quotes in either, obviously), plus a crawler Startpage search of the main site gives the 'changelog' and 'getit' pages detailing the updates in 13.6.8, 13.6.7.904,13.6.7.903.

[Giorgio Maone]

"Trusted Types" are an API helping web developers to write web pages which are less vulnerable to XSS, if they know what they're doing (as usual).

It's mentioned in NoScript's changelog because I had to modify the way Workers are patched to implement webgl and wasm blocking in order to accommodate web page using this relatively new technology.

[Mad_Man_Moon]

Very cool, thanks for this ... definitely feel less heightened by it!

It does seem to be a good framework, all around, aye ... hope that it doesn't make things more difficult for yous ...

"Trusted Types" are an API helping web developers to write web pages which are less vulnerable to XSS, if they know what they're doing (as usual).

It's mentioned in NoScript's changelog because I had to modify the way Workers are patched to implement webgl and wasm blocking in order to accommodate web page using this relatively new technology.