TypeScript-DOM-lib-generator icon indicating copy to clipboard operation
TypeScript-DOM-lib-generator copied to clipboard

Published 20 hours ago verified publisher icon microsoft

DOM lib: Add support for Trusted Types API

Open tosmolka opened this issue 3 years ago • 16 comments

This PR adds support for Trusted Types APIs and Sinks in dom and worker libraries. These APIs are so far only supported by Blink. In https://github.com/microsoft/TypeScript/issues/30024 we seem to be getting an agreement to include this change anyway.

tosmolka avatar Jan 14 '22 11:01 tosmolka

Thanks for the PR!

This section of the codebase is owned by @saschanaz - if they write a comment saying "LGTM" then it will be merged.

github-actions[bot] avatar Jan 14 '22 11:01 github-actions[bot]

This needs multiple implementor interest.

saschanaz avatar Jan 14 '22 11:01 saschanaz

My understanding is that there are polyfill options for other browsers, making appropriate typings still pretty important.

shicks avatar Jan 14 '22 17:01 shicks

You're welcome to use DefinitelyTyped if you'd like to ship types which only work on a single engine 👍🏻 - though it might be quite difficult given how much existing code this affects.

orta avatar Jan 14 '22 17:01 orta

Either way, this needs to take advantage of the new differently-typed getter/setter feature in order to be properly backwards-compatible. For example,

interface Element {
  get outerHTML(): string;
  set outerHTML(html: string|TrustedHTML);
}

shicks avatar Jan 14 '22 17:01 shicks

@shicks , can you please take another look? Do you think this would be backwards-compatible? I ended up introducing setterType as I could not find a way to do what we wanted with current implementation of emitProperty. Happy to choose different approach if needed.

tosmolka avatar Jan 17 '22 15:01 tosmolka

This looks much better. IIUC, the TypeScript team has a corpus of real world code that they can compile against - presumably they'd want to test this against that corpus to make sure it doesn't break anything significant.

The main breakage I anticipate at this point is if anybody is implementing the DOM API (i.e. like a NodeJS virtual DOM) - but at this point anybody who's just using the DOM should be fine.

shicks avatar Mar 29 '22 22:03 shicks

We're prototyping the use of TrustedHTML at GitHub, and would really love to see this land!

lgarron avatar May 18 '22 20:05 lgarron

Is there any chance of moving this forward in the near future?

https://github.com/DefinitelyTyped/DefinitelyTyped/pull/61160 was making some progress last month, but my understanding is that it will still be hard to use if the Element.innerHTML setter still only allows string assignment in lib.dom.d.ts. This makes it rather tricky to use trusted types in practice, without working around lots of errors. 😔

lgarron avatar Aug 16 '22 18:08 lgarron

So far no implementer interest outside of Google, so a progress can happen when something happens there.

saschanaz avatar Aug 16 '22 19:08 saschanaz

So far no implementer interest outside of Google, so a progress can happen when something happens there.

🙋 We are actively working on exploring trusted types on the github.com site, and are specifically running into challenges with the concrete implementation due to this. 🤓

By implementer, I'm guessing you might mean just browsers, though?

Is there any way to make the innerHTML setter type at least compatible with TrustedHTML from @types/trusted-types? That would make a big difference. (For example, one blunt possibility would be for .innerHTML to accept any string or any object with toString().)

lgarron avatar Aug 16 '22 19:08 lgarron

By implementer, I'm guessing you might mean just browsers, though?

Yes.

Is there any way to make the innerHTML setter type at least compatible with TrustedHTML from @types/trusted-types? That would make a big difference.

That's really a thing that needs a Microsoft decision, but I think TS should support overloading the setter declaration to make it compatible.

saschanaz avatar Aug 16 '22 19:08 saschanaz

So far no implementer interest outside of Google, so a progress can happen when something happens there.

There is now multi implementor interest: https://github.com/mozilla/standards-positions/issues/20#issuecomment-1853427823, with a Gecko implementation progressing. Implementation in WebKit is also ongoing. What are the next best steps?

koto avatar May 16 '24 12:05 koto

When the feature ships, MDN data will be updated and that will be automatically reflected here.

saschanaz avatar May 16 '24 12:05 saschanaz

When the feature ships, MDN data will be updated and that will be automatically reflected here.

Do you mean browser compat data on MDN? I think browser compat data on MDN is manually updated, at least that was the case when the Trusted Types shipped in Chrome. Once that happens (which, I guess, is after shipping in Gecko or WebKit), what is actually happening automatically in this repo? Trusted Types APIs are already largely integrated in HTML, DOM and other specs (e.g. https://dom.spec.whatwg.org/#parentnode).

Sorry for those basic questions, I'm just trying to figure out what needs manual work and when is it best to do that work. It seems like the 'when' part is after 2nd implementation part ships, but I don't know yet the 'what' part.

koto avatar May 16 '24 14:05 koto

Do you mean browser compat data on MDN? I think browser compat data on MDN is manually updated, at least that was the case when the Trusted Types shipped in Chrome.

Yes. After that a friendly bot will come along and create here a PR like this: #1726

HolgerJeromin avatar May 16 '24 14:05 HolgerJeromin