trusted-types icon indicating copy to clipboard operation
trusted-types copied to clipboard

Published 20 hours ago verified publisher icon w3c

Set slot values when called directly by the parser

Open koto opened this issue 4 years ago • 2 comments

Scripts created by the parser don't have their slot values filled, which formally would cause the default policy invocation in prepare script url and text - and might cause the rejection of the values at parsing time since create an element for the token will append content attributes, to which we're adding validate steps.

When writing the attribute validate steps for scripts, we should accept the value and bail out if the algorithm was called from within HTML parser. We should also set the slot value in attribute change steps for script.src (and, later, for iframe.srcdoc). In fact, it's easier to move the slot setting for scripts to attribute change steps (right now it's defined at IDL level in https://w3c.github.io/webappsec-trusted-types/dist/spec/#setting-slot-values).

I'm not sure yet what to do with script bodies.

koto avatar Dec 13 '19 15:12 koto

This is the Chrome implementation (only script text is affected): https://chromium-review.googlesource.com/c/chromium/src/+/2041622

koto avatar Mar 09 '20 12:03 koto

See also https://bugs.chromium.org/p/chromium/issues/detail?id=1218746

koto avatar Jul 12 '21 10:07 koto