Frédéric Wang

Per Luke's comment, no spec changes are needed, so changing title to indicate this is only about tests. I've opened https://github.com/web-platform-tests/wpt/pull/48760 for that.

This is the Chromium issue: https://issues.chromium.org/issues/375219958 https://github.com/web-platform-tests/wpt/pull/48760 landed, so I believe we can close this.

Skimming over existing WPT tests, it seems all the event handler attributes used in tests are coming from [GlobalEventHandlers](https://html.spec.whatwg.org/multipage/webappapis.html#globaleventhandlers). Conversely, all event handler attributes from `GlobalEventHandlers` are covered by `trusted-types-event-handlers.html`...

Tests trying to be a bit more complete have been added since my previous comment: https://wpt.fyi/results/trusted-types/TrustedTypePolicyFactory-getAttributeType-event-handler-content-attributes.tentative.html https://wpt.fyi/results/trusted-types/set-event-handlers-content-attributes.tentative.html Note that the list of content event attribute (and associated interface) are enumerated...

@annevk @lukewarlow finally open the PR https://github.com/web-platform-tests/wpt/pull/50295

@annevk @lukewarlow One thing that I have been wondering for a while, is whether we should make the "Get Trusted Type data for attribute" a bit more restrictive and only...

Trusted Types spec: https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts HTML spec: https://html.spec.whatwg.org/multipage/infrastructure.html#tt-trustedhtml https://html.spec.whatwg.org/multipage/infrastructure.html#tt-trustedscript https://html.spec.whatwg.org/multipage/infrastructure.html#tt-trustedscripturl DOM spec: https://github.com/whatwg/dom/pull/1268 CSP spec: https://w3c.github.io/webappsec-csp/#can-compile-strings SVG spec (merged PR don't seem to show up on https://svgwg.org/svg2-draft): https://github.com/w3c/svgwg/pull/934 Service Workers spec:...

Trusted Types spec: * ~~`HTMLScriptElement`'s `innerText` (`TrustedScript`) -- covered by block-string-assignment-to-text-and-url-sinks.html~~ * ~~`HTMLScriptElement`'s `textContent` (`TrustedScript`) -- covered by block-string-assignment-to-text-and-url-sinks.html~~ * ~~`HTMLScriptElement`'s `src` (`TrustedScriptURL`) -- covered block-string-assignment-to-text-and-url-sinks.html~~ * ~~`HTMLScriptElement`'s `text` (`TrustedScript`)...

@lukewarlow yes I noticed that. It seems some PRs have been merged but are still not public. will follow-up with you privately

https://github.com/w3c/trusted-types/issues/494#issuecomment-2572763334 should now be an up-to-date list of existing sinks. Still need to check whether we cover everything. The state of the SVG spec is still not great, but essentially...