sizzle icon indicating copy to clipboard operation
sizzle copied to clipboard

Published 20 hours ago verified publisher icon jquery

Core: Support Trusted Types

Open tosmolka opened this issue 4 years ago • 4 comments
trafficstars

Create HTML from string via custom Trusted Types policy in browsers that support Trusted Types.

This PR fixes #478

tosmolka avatar Oct 01 '21 14:10 tosmolka

I am not comfortable with the size increase of this PR and don't know if it can come down enough to change that, although something like this could be attempted:

	trustedTypesPolicy = {
		createHTML: function( html ) {
			return html;
		}
	};

	try {
		trustedTypesPolicy = window.trustedTypes.createPolicy( "sizzle" );
	} catch ( e ) {}

gibson042 avatar Oct 01 '21 16:10 gibson042

Also, note that just defining a policy & using it still won't solve all the issues. You can declare in CSP that you not only want to enforce trusted types usage but only allow specific policy names. Such declarations would work with jQuery 4.x now but they'd fail with Sizzle with the current patch.

mgol avatar Oct 01 '21 17:10 mgol

This PR is loosely related to https://github.com/jquery/sizzle/pull/472 where AdGuard team also proposed TT policy for sizzle.

tosmolka avatar May 11 '22 11:05 tosmolka

@tosmolka To be honest, their approach of forking Sizzle makes sense for their use case. We're going to archive Sizzle soon and jQuery 3.7.0 & newer will have their own embedded selector engine based on Sizzle but cleaned up a lot.

The first jQuery version with Trusted Types support will be 4.0.0.

mgol avatar Feb 14 '23 12:02 mgol