trusted-types
trusted-types copied to clipboard
w3c
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
In https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-process-value-with-a-default-policy step 2.
https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-process-value-with-a-default-policy step 4 The callbacks are webidl callbacks, so the return value is DOMString? or USVString?, no? https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm seems to then check for undefined too. @mbrodesser-Igalia @lukewarlow @koto
I need to reference require-trusted-types-for in another spec. It would be convenient if it were exported to avoid needing to add it to the pre#anchors section.
Currently the [DOM spec](https://dom.spec.whatwg.org/#converting-nodes-into-a-node), and both WebKit and Chromium have special casing in DOM APIs such as node.replaceChildren for script elements. Such that if you try and replace the children...
Currently the TrustedTypes aren't frozen objects so can be overridden. And then we need to account for the fact stuff like the stringifier can be overriden in implementations. We should...
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 1 currently specifies "If input has type expectedType". What does that mean? It seems `isHTML` (https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-ishtml) / `isScript` / `isScriptURL` should be invoked. The callers of "Get Trusted...
Also add SVGScriptElement to spec Fixes https://github.com/w3c/trusted-types/issues/483, https://github.com/w3c/trusted-types/issues/517 *** Preview | Diff