trusted-types icon indicating copy to clipboard operation
trusted-types copied to clipboard
verified publisher icon w3c

Asynchronous createHTML/createScript/createScriptURL

Open fred-wang opened this issue 6 months ago • 2 comments

Testcase:

<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
<div id="div"></div>
<script>
  trustedTypes.createPolicy("default", {
    createHTML: async s => s,
  });
  div.innerHTML = "Hello World!"
</script>

This sets the div's inner HTML to [object Promise] in all browsers, which at first was kinda unexpected to me.

Technically, an async function is equivalent to returning a Promise object, and it's unclear whether "stringifying" in "Process value with a default policy" is supposed to resolve that promise. So that's a special case of https://github.com/w3c/trusted-types/issues/541

cc @lukewarlow

fred-wang avatar Jun 26 '25 09:06 fred-wang

I think that or throwing is about the only reasonable outcome there.

lukewarlow avatar Jun 26 '25 10:06 lukewarlow

This behavior seems kinda expected and probably not different from any other place that takes a callback. Being strict about the return type, but only for certain types, seems weird.

annevk avatar Jun 26 '25 12:06 annevk