trusted-types
trusted-types copied to clipboard
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
The [TC39 asset reference](https://github.com/sebmarkbage/ecmascript-asset-references) +(@bmeck @sebmarkbage) separates information about modules from loading of modules. Ir provides new syntax for [static asset references]: ```js asset Foo from "foo"; // Now the...
Extracted from #152: @briansmith: > I expect that most people who would use Trusted Types don't want `` to be used at all and so it should be easy to...
In https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-create-a-trusted-type-from-literal , TrustedHTML is special-cased to do > Let templateNode be the results of [creating an element](https://dom.spec.whatwg.org/#concept-create-element) given "template", the [HTML namespace](https://infra.spec.whatwg.org/#html-namespace) and [current global object](https://html.spec.whatwg.org/multipage/webappapis.html#current-global-object)'s [associated Document](https://html.spec.whatwg.org/multipage/window-object.html#concept-document-window). but...
Recently, we have conducted a study regarding development strategies and roadblocks of trusted types deployment for Web Developers which is going to be presented/published in August 2024 (Preprint: https://swag.cispa.saarland/papers/roth2024tt.pdf). Among...
E.g. https://jsfiddle.net/q5kmL492/ is possible. https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive requires the policy-name to consist of at least one character. That might be annoying when one writes multiple policies named `""` and wants to limit...
Why is "callback **this** value set to null" required in step 5 of "Get Trusted Type policy value"?
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-policy-value-algorithm
* https://wpt.fyi/results/trusted-types/block-string-assignment-to-Element-setAttribute.html needs * test with an attribute (e.g. HTML's `srcdoc`) node created in a different realm. It should be rejected when imported and added to an iframe in the...
Following on from discussions recently with @caridy it's possible we could avoid the default policy fallback for eval (and Function() etc). This simplifies the TT spec slightly (not much though),...
E.g., in Create a Trusted Type Policy it would be much clearer if the dictionary members were set using map syntax. It currently states properties are being set, which is...
https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-create-a-trusted-type