Luke Warlow
Luke Warlow
For the sake of keeping the spec moving I've made two new issues to track the remaining questions here and am going to get this merged in so we can...
I'm reopening this issue to restart this conversation. I think something that's been missed in previous considerations is that some use cases might care more about security than compatability. >...
As part of https://github.com/w3c/trusted-types/pull/464 - we get the raw arguments to eval and new Function() so we can ensure they are trusted types which would make this easier
Closing this to focus discussions in https://github.com/w3c/webappsec-csp/pull/665
I also don't think the slot can be initially null either. `data:text/html,const s = document.createElement('script'); container.appendChild(s);
So I did some digging and in Chromium it's done in the FinishParsingChildren function I think that corresponds to somewhere inside of https://html.spec.whatwg.org/multipage/parsing.html#create-an-element-for-the-token but it's possible there's a higher level...
Interestingly the spec is also specifically focused on HTMLScriptElement but the chrome patch also touches SVGScriptElement so some clarity there would be good too.
While implementing this in WebKit I'm getting an error where replaceWith is causing a trusted types error that doesn't happen in chromium and that also seems to have other unspecced...
> Per which part of the spec would that trigger a TT violation? When it's running prepare script text it will compare the inner slot value to the child text...
I've made a PR that attempts to add the node manipulation APIs to the spec: https://github.com/w3c/trusted-types/pull/440 The algorithm is slightly unwieldily and I feel like it can probably be simplified...