Krzysztof Kotowicz

FWIW, we're seeing `.innerHTML = ''` across hundreds of separate products. This is really a prevalent pattern, and will likely result in friction for most applications adopting TT. We can...

This could also be configurable by an opt-in flag, if needed. Since `require-trusted-types-for` controls the sinks, `require -trusted-types-for 'script' 'allow-empty-html'`? I don't think that's absolutely necessary, as it's too verbose...

It's a valid point. Let's find out if there are code bases that only have these types of violations. If they are common, adding this feature in TT would significantly...

Chrome disallows javascript: base URLs (http://crbug.com/679318), other browsers don't follow that behavior: https://github.com/whatwg/html/issues/2249. The issue though is mostly about changing the meaning of relative URLs, rather than javascript: prefix in...

To understand your use case correctly, you'd like to know if *any* enforcement is enabled (i.e. string assignment to XSS sinks throws)? Given that it seems like custom runtime-defined policies...

Coming back to this, I'm not sure if we should encourage checking for _enforcement_. Given that TTs are backwards compatible when used with DOM sinks, it might be better if...

If I understand correctly, what would be needed is not `areTTsEnforced`, but rather `isFallbackPolicyEnforced`, i.e. the enforcement check makes sense only if there is also a fallback policy (btw -...

Yes. On Wed, Jun 20, 2018, 22:51 xtofian wrote: > FWIW, one could presumably check whether or not any policy is enabled as > follows, right? > > 'TrustedTypes' in...

> has exactly the same effect as `node.innerHTML = foo;` The difference is `node.innerHTML = foo` leaves you vulnerable if the policies are not enforced. Since this is a shorter...

Oh, I assumed useFallback is true _iff_ fallback policy is _defined_ (like in https://github.com/WICG/trusted-types/issues/36#issuecomment-398895454). I assume there is no way (short of `try {} catch {}`) to detect enforcement, and...