背景与价值Trusted Types将危险DOM写入收敛为受控类型与策略。结合CSP强制,可阻断大多数XSS注入路径。统一规范CSP强制:开启 `require-trusted-types-for 'script'` 与 `trusted-types` 白名单。Policy最小化:统一注册少量策略并限制转换范围。Sink封装:对 `innerHTML`、`insertAdjacentHTML` 等封装受控写入。核心实现CSP头与Policy注册type Res = { setHeader: (k: string, v: string) => void }
function setCsp(res: Res) {
res.setHeader('Content-Security-Policy', "require-trusted-types-for 'script'; trusted-types app-policy")
}
function registerPolicy() {
const tt = (window as any).trustedTypes
if (!tt?.createPolicy) return null
return tt.createPolicy('app-policy', {
createHTML: (s: string) => s,
createScriptURL: (u: string) => u
})
}
受控Sink封装function setHTML(el: Element, html: string, policy: any) {
if (!policy) return
const safe = policy.createHTML(html)
;(el as any).innerHTML = safe
}
function setScriptUrl(el: HTMLScriptElement, url: string, policy: any) {
if (!policy) return
const safe = policy.createScriptURL(url)
el.src = safe as any
}
落地建议在响应头启用Trusted Types严格模式并注册统一Policy,限制转换能力。对核心Sink统一封装调用,避免直接字符串写入。验证清单是否启用 `require-trusted-types-for 'script'` 与白名单策略;DOM写入是否通过受控Policy。
发表评论 取消回复