The "allow-duplicates" completely negates the point of trusted types, since any attacker can just create their own "duplicate" policy with whatever unsafe callbacks.
For example, adding "allow-duplicates" suddenly allows:
const circumvent = trustedTypes.createPolicy(
'dompurify',
{
createHTML( unsafe ) { return unsafe; },
createScriptURL( unsafe ) { return unsafe; },
}
);
foo.innerHTML = circumvent.createHTML( 'attacking...' );
At that point you're actually better of not to use trusted types, since at least you're aware that/where security risks are.
"allow-duplicates" just makes trusted-types into a security theater.
The "allow-duplicates" completely negates the point of trusted types, since any attacker can just create their own "duplicate" policy with whatever unsafe callbacks.
For example, adding "allow-duplicates" suddenly allows:
At that point you're actually better of not to use trusted types, since at least you're aware that/where security risks are.
"allow-duplicates" just makes trusted-types into a security theater.