Trusted Types are breaking clipboard pasting

[andre-steudel]

What is the issue?

When I use a strict CSP rule in my project, I get an error when I try to paste text or images in the editor. Text will work with an error, images will not work at all.
The require-trusted-types Rule is experimental, though it's recommened by frameworks e.g. Angular to prevent XSS.

Steps to reproduce

1. Insert a CSP Rule which uses trusted types e.g.

 <meta
      http-equiv="Content-Security-Policy"
      content="default-src 'self'; style-src 'self' 'unsafe-inline'; require-trusted-types-for 'script';"
    />

2. Paste something in the editor

Expected behavior

I can paste images or text

Actual behavior

The text is pasted but I see an error in the console (image pasting will not work)

Uncaught TypeError: Failed to set the 'innerHTML' property on 'Element': This document requires 'TrustedHTML' assignment.
    at readHTML
    at parseFromClipboard

[marijnh]

Which browser is this? This innerHTML is performed in a detached document to explicitly prevent cross-site attacks. Blocking that here seems like a browser misbehavior.

For the time being, I suspect you're going to have to turn off this policy to work around the issue.

[andre-steudel]

I see, it happens on the latest Chrome

[marijnh]

It appears DOMParser.parseFromString requires the same privilege as innerHTML and is blocked by that policy as well. Which is, frankly, kind of ridiculous — you can write your own HTML parser in JavaScript, but you aren't allowed to use the browser's built-in parser.

[marijnh]

Oh, apparently you can 'declare' that a string is safe with window.trustedTypes. Attached patch does this.