trusted-types
trusted-types copied to clipboard
w3c
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
cc @smaug---- @mbrodesser-Igalia @lukewarlow `elementNs` and `attrNS` are optional nullable arguments defaulting to the empty string, so we should test what happens when null values are used: ``` optional DOMString?...
These functions return a DOMString taken from a specific column of a table, containing links to TrustedHTML/TrustedScript/TrustedScriptURL interfaces (which to add more confusion, have a stringifier returning the associated string...
In [getAttributeType()](https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-getattributetype)'s algo: > 8. If attributeData is not null, then set expectedType to the value of the third member of attributeData. But attributeData is a row obtained from [Get...
See https://w3c.github.io/trusted-types/dist/spec/#deprecated-features It's linked to https://w3c.github.io/webcomponents/spec/imports/ which returns a 404 error.
Step 4 of [1]. It's passed a synthetic request from step 5 of [2]. CC @otherdaniel, @evilpie, @lukewarlow [1] https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-pre-navigation-check [2] https://html.spec.whatwg.org/#the-javascript:-url-special-case
See e.g. https://jsfiddle.net/fhrpo2zj/2/. The spec covers this, since "type" in [1] may be "form-submission" and [2] is fully exercised for that type. CC @lukewarlow, @otherdaniel [1] https://w3c.github.io/webappsec-csp/#should-block-navigation-request [2] https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-pre-navigation-check
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 3 returns if no trusted types are required. That section is normative. The non-normative section about the default policy (https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr) doesn't mention that aspect. It seems more intuitive...
To " Get Trusted Type compliant string". Credits to @smaug---- for detecting this.
E.g. from https://html.spec.whatwg.org/#the-insertadjacenthtml()-method. "Get Trusted Type compliant string" [1] invokes "Should sink type mismatch violation be blocked by Content Security Policy?" [2]. The latter checks for a match of the...