Krzysztof Kotowicz
Krzysztof Kotowicz
So, summarizing the options the integration as outline is OK given the constraints and the intention of the API, but there's a slight preference to do option 2 + before,...
@annevk That is quite similar to how it is defined currently: We typedef [HTMLString](https://w3c.github.io/webappsec-trusted-types/dist/spec/#typedefdef-htmlstring) union and [set the attribute on the union](https://w3c.github.io/webappsec-trusted-types/dist/spec/#extensions-to-the-document-interface). We could set it for the `DOMString` only,...
> I don't think we can achieve that without introducing a modification to the string type. A union type will always cause specs to branch on both forks of the...
Hey, a Trusted Types representative here :) We're happy to help if you need any clarifications, have questions around the feature or suggestions for the API. We think it's a...
> I wonder if we want an arbitrary extension point for this or just call into Trusted Types directly. I don't have a strong preference here. As long as it...
https://github.com/whatwg/dom/pull/1247 and https://github.com/w3c/trusted-types/pull/418 supercede this one. Unfortunately handling the attr mutation in DOM happens now after setting the new value, so I had to add an explicit new step to...
> [...] what we envisage the usage of Function() with the default policy to actually look like? Is it likely to actually need to modify the value? Or is it...
I can't speak for the spirit of the regulatory assessment, but a crucial difference between `eval` and `TrustedScript.fromLiteral` case is that the latter cannot be a DOM XSS, since the...
Revisiting that; It sounds to me like we should keep the object/embed enforcement for now, as at least we should also make TT a viable solution for the browser extensions....