[RFC] Integrate Trusted Types API

[kazuma0129]

Start Date: 2023-12-14
Target Major Version: 3.x

Summary

This RFC proposes integrating the Trusted Types API into Vue 3 to enhance security against Cross-Site Scripting (XSS) vulnerabilities. The goal is to automate secure DOM handling, enabling developers to utilize Vue features without managing Trusted Types explicitly.

Motivation

Frameworks like Lit (Lit's release notes) and Angular (Angular's security guide) have adopted Trusted Types, showing significant steps in web security. Vue 3 should follow this path to enhance security and align with current front-end development practices. However, the PR was previously created in Vue 2 to integrate Trusted Types, but it appears to have been recently closed. ref: vuejs/vue#10491

Basic Example

Within Vue 3, the v-html directive is commonly used for binding HTML content. After the integration of Trusted Types, this directive will internally utilize the Trusted Types API for content sanitization. The usage for developers remains unchanged, ensuring ease of use with improved security. For instance:

<!-- Usage by developers in Vue 3 -->
<div v-html="userContent"></div>

Here, userContent will automatically be processed through Vue-managed Trusted Types policies, ensuring the content is safe and free from XSS threats.

Detailed Design

• Implementation Adjustments: Modifications in Vue's core system to include Trusted Types API, focusing on HTML content management.
• Configurable Opt-in: Introduction of a configuration setting for Trusted Types, maintaining backward compatibility.
• Policy Management: Provision of a default Trusted Types policy and customization options for developers.
• Extensive Documentation: Detailed documentation and examples demonstrating Trusted Types in Vue 3 applications.
• Soliciting Community Input: Feedback from the Vue.js core team and community will be sought for proposal refinement.

Considerations Regarding Browser Support and Experimental Status

• Limited Browser Support: Current browser support for Trusted Types is limited, as detailed in Mozilla's Trusted Types documentation.
• Feature Status: Trusted Types, being experimental, may undergo changes, as mentioned in the W3C Web Application Security Working Group's spec.
• Fallback Strategies: Development of fallback strategies for browsers without Trusted Types support.
• Awareness and Documentation: Clear documentation about Trusted Types' limitations and experimental status.
• Monitoring and Updates: Continuous monitoring of Trusted Types development and adoption.

[whisust]

Point in favor of this one: As of today, Gmail web now enforces Trusted Types. We have a Chrome extension based on Vue, which now cannot load without Trusted Types support, forcing us either to live without or change for another framework which supports TT.

[dargmuesli]

I'm in favor of this RFC.
Here is advanced browser support information: https://caniuse.com/trusted-types

[lukewarlow]

Here, userContent will automatically be processed through Vue-managed Trusted Types policies, ensuring the content is safe and free from XSS threats.

I'm not convinced v-html should do anything special with string values, they should be passed to the sink as is and the trusted type API's default policy behaviour will be invoked if the end user wants to sanitise or reject the values.

That aside I think it's a great idea to integrate the trusted types APIs into the Vue framework.

[haoqunjiang]

Related PR: vuejs/core#10844