w3c
Add tests for getAttributeType()/getPropertyType() for embed@src, object@codebase and object@data
cc @mbrodesser-Igalia @lukewarlow @smaug---- @koto
It seems chromium treats embed's src attribute and object's codebase/data attributes as TrustedScriptURL:
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.cc;l=50;drc=08efa89c7d73d72e6ebcddbf053c41a230dc1ba8?q=TrustedTypePolicyFactory
But they are not listed in the spec: https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-get-trusted-type-data-for-attribute
AFAIK, there is no WPT tests for these attributes either.
They were historically included but no longer are. Chromium needs to update it's implementation such that they're no longer protected. It might be worth adding a test that ensured that they're not covered by TT.
Same for the properties:
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.cc;drc=08efa89c7d73d72e6ebcddbf053c41a230dc1ba8;l=92?q=TrustedTypePolicyFactory
They were historically included but no longer are. Chromium needs to update it's implementation such that they're no longer protected. It might be worth adding a test that ensured that they're not covered by TT.
Thanks Luke. Will add tests for that then!
Per Luke's comment, no spec changes are needed, so changing title to indicate this is only about tests.
I've opened https://github.com/web-platform-tests/wpt/pull/48760 for that.
For context, these were removed from the spec in https://github.com/w3c/trusted-types/issues/305. @otherdaniel, we should correct the Chromium impl and remove the enforcement.
This is the Chromium issue: https://issues.chromium.org/issues/375219958
https://github.com/web-platform-tests/wpt/pull/48760 landed, so I believe we can close this.