trusted-types
trusted-types copied to clipboard
w3c
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
Currently trusted types requires you to update each individual call site for specific policy usage OR you get one universal default policy. This is, I suspect, in many cases not...
`trusted-script` keyword [is used](https://wicg.github.io/trusted-types/dist/spec/index.html#trusted-script-csp-keyword) now for `javascript:` navigations and `eval` guarding. Since we've integrated with CSP logic, perhaps the keyword is now superfluous? If a website uses `eval` or `javacsript:`...
There's no test coverage over the SVG null/xlink NS href attribute in getAttributeType, this should be addressed.
https://searchfox.org/mozilla-central/rev/c26f7461fc2a51196b7f517c7f98a1e271dc9ec0/testing/web-platform/tests/trusted-types/Element-setAttributeNS.html#21-32 There seems to be duplication with https://searchfox.org/mozilla-central/source/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html#12-23 too.
- Makes namespace properties nullable DOMStrings *** Preview | Diff
- getAttributeType and getPropertyType now use lookup tables. Fixes #456 and #423 *** Preview | Diff
Apologies if I'm missing something but I believe that the spec as currently written blocks any inline script elements from executing. https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts A new [[ScriptText]] slot is added and is...
Address #438 I haven't done the DOM parts change but have made a follow up issue for tracking that so it doesn't get lost cc @mbrodesser-Igalia *** Preview | Diff
Follow up from #445 Currently the default policy gets "(function(foo\n) { \nbody\n})" or something along those lines aka a compiled function string. This requires that we pass through the fully...
I'm unfamiliar with [shadow realms](https://tc39.es/proposal-shadowrealm) as a whole but I see that it introduces some form of script evaluation, does this need to be covered by Trusted Types like eval...