[core-xml] port https://github.com/Azure/ms-rest-js/pull/475 #24962

jeremymeng · 2023-02-23T00:24:31Z

Original PR description:

Zlatkovsky commented on Nov 15, 2022
In our use-case of the ms-rest-js library, we have a large existing application (complete with caching, service-workers, etc) that we dynamically load additional JavaScript code into. The additional JS is what brings in the ms-rest-js.

The application has Trusted Types enabled (e.g., CSP rule 'trusted-types LibraryA LibraryB etc). But, interestingly, its require-trusted-types-for 'script' is currently under "report only" (Content-Security-Policy-Report-Only). In those cases, a call to trustedTypes.createPolicy will fail because the policy isn't on the allowed-list, even though skipping the createPolicy would be OK. So in effect, Azure/ms-rest-js@531aea9 introduced a regression.

We are working on extending the allow-list of our application to include @azure/ms-rest-js#xml.browser, but that change takes time. In the meantime, we'd like to wrap the policy-creation in a try/catch. There is no security risk to it, since for host applications that DO have strict enforcement of trusted-types, the code will simply fail when the dangerous sink is used (e.g., when doing parseFromString). And likewise, wrapping in try/catch and doing nothing on catch is OK, because the code already deals with the possibility of the trustedTypes API not being available on the browser.

Packages impacted by this PR

@azure/core-xml

Original PR description: >Zlatkovsky commented on Nov 15, 2022 In our use-case of the ms-rest-js library, we have a large existing application (complete with caching, service-workers, etc) that we dynamically load additional JavaScript code into. The additional JS is what brings in the ms-rest-js. The application has Trusted Types enabled (e.g., CSP rule `'trusted-types LibraryA LibraryB etc`). But, interestingly, its `require-trusted-types-for 'script'` is currently under "report only" (`Content-Security-Policy-Report-Only`). In those cases, a call to `trustedTypes.createPolicy` will fail because the policy isn't on the allowed-list, even though _skipping_ the `createPolicy` would be OK. So in effect, Azure/ms-rest-js@531aea9 introduced a regression. We are working on extending the allow-list of our application to include `@azure/ms-rest-js#xml.browser`, but that change takes time. In the meantime, we'd like to wrap the policy-creation in a `try/catch`. There is no security risk to it, since for host applications that DO have strict enforcement of trusted-types, the code will simply fail when the dangerous sink is used (e.g., when doing `parseFromString`). And likewise, wrapping in `try/catch` and doing nothing on `catch` is OK, because the code already deals with the possibility of the trustedTypes API not being available on the browser.

azure-sdk · 2023-02-23T01:09:15Z

API change check

API changes are not detected in this pull request.

jeremymeng requested review from xirzec and deyaaeldeen as code owners February 23, 2023 00:24

ghost added the Azure.Core label Feb 23, 2023

deyaaeldeen approved these changes Feb 23, 2023

View reviewed changes

jeremymeng merged commit 55d583e into Azure:main Feb 23, 2023

jeremymeng deleted the core/port-msrestjs-475 branch February 23, 2023 18:25

jeremymeng mentioned this pull request Mar 8, 2023

Port https://github.com/Azure/ms-rest-js/pull/475 from ms-rest-js #24019

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[core-xml] port https://github.com/Azure/ms-rest-js/pull/475 #24962

[core-xml] port https://github.com/Azure/ms-rest-js/pull/475 #24962

jeremymeng commented Feb 23, 2023

azure-sdk commented Feb 23, 2023

[core-xml] port https://github.com/Azure/ms-rest-js/pull/475 #24962

[core-xml] port https://github.com/Azure/ms-rest-js/pull/475 #24962

Conversation

jeremymeng commented Feb 23, 2023

Packages impacted by this PR

azure-sdk commented Feb 23, 2023