Maltemo
@maltemo.bsky.social
🇫🇷 - Security auditor. In my free time, interested in development, OSINT & Forensic. Eclectic hobbies and interests.
Blog : https://maltemo.github.io
Blog : https://maltemo.github.io
I got my answer, it’s the CSP that blocks an attacker from adding another Trusted Type. You can’t add a new trusted type if it’s name is not stated in the CSP. You can’t replace an existing one unless the 'allow-duplicates' is stated in the CSP.
Source: developer.mozilla.org/en-US/docs/W...
Source: developer.mozilla.org/en-US/docs/W...
CSP: trusted-types - HTTP | MDN
The HTTP Content-Security-Policy (CSP) trusted-types
Experimental
directive instructs user agents to restrict the creation of Trusted Types policies - functions that build non-spoofable, typed value...
developer.mozilla.org
February 6, 2025 at 10:24 AM
I got my answer, it’s the CSP that blocks an attacker from adding another Trusted Type. You can’t add a new trusted type if it’s name is not stated in the CSP. You can’t replace an existing one unless the 'allow-duplicates' is stated in the CSP.
Source: developer.mozilla.org/en-US/docs/W...
Source: developer.mozilla.org/en-US/docs/W...