Krzysztof Kotowicz

`XSLTProcessor.importStylesheet` could also be a sink in this case, if the stylesheet nodes have a capability of causing script execution.

Sounds like it's the time to do it, yes. See also #234. // cc @mikewest - Are plugins really, really going away?

I think Mike was talking about extensions that want to use TT to prevent DOM XSS in their own code.

* static ES Module imports are definitely out of scope - the reasoning is that anyone able to control your JS program body directly (able to control the module identifiers...

https://github.com/WICG/webpackage/blob/master/explainers/subresource-loading.md introduces yet another way of indirectly changing the scripts that end up being loaded, similar to `base` tag (yay!). Perhaps we should have another type for these "indirect script...

That particular one can be replaced with `trustedTypes.emptyScript`.

Let's wait for more implementation feedback about that? For now it seems like the default policy (which, when called implicitly, gets always the same kind of arguments) is different than...

> Can we carve this out [...] ? I think we can. Literally, the change could be: > 3. If input has type expectedType, return stringified input and abort these...

@mikewest: > As a not-terribly-crazy example, consider [your suggestion](https://twitter.com/kkotowicz/status/1412745999370567681) that we allow `el.innerHTML = 'noanglebrackets';`. What's the principle that says "Do this, but don't do that."? Fundamentally, nothing blocks us...

Yes, that's correct. That's the tradeoff; we either force the developers to rewrite all of the sink assignments, even if they cannot possibly cause XSS, or introduce this surprise element....