trusted-types issues

Results 86 trusted-types issues

Sort by recently updated

getAttributeType() needs a rewrite

It should reuse the logic from #418.

annevk

There's a lack of test coverage over the namespace aspect of getPropertyType

A WPT test (or subtest) should be added to test the elementNs parameter of getPropertyType

lukewarlow

getAttributeType and getPropertyType should default to HTML namespace, not ""

Currently the algorithms oddly change empty string to HTML namespace. That prevents using the methods with elements which are in "" namespace (whether or not that is actual useful). But...

smaug----

Duplication of some tests

The current test suite duplicates some tests such as the one inside of `Element-outerHTML.html`, which is the top subtest within `block-string-assignment-to-Element-outerHTML.html` it would be good to squash these down so...

lukewarlow

Can we add no-op/report?

It seems to me that for trusted types to be really successful at what they are aiming to do, they need very large scale adoption and there's a bit here...

bkardell

Adressing cross-document vectors comprehensively relies on "origin-policy" which is a proposal which is on hold

https://w3c.github.io/trusted-types/dist/spec/#cross-document-vectors mentions that. Examples of instances not addressable appreciated.

mbrodesser-Igalia

Ensure at least one representative of all classes of injection sinks is guarded with TT

Classes of injection sinks are: 1. IDL attributes, e.g. `someScript.src = someSrc`. 2. JS functions, e.g. `eval(someString)`. 3. DOM APIs, e.g. `someScriptElement.setAttribute("src", someSrc)`. This is required in order to ensure...

mbrodesser-Igalia

Are all injection sinks covered by the spec?

https://w3c.github.io/trusted-types/dist/spec/#introduction mentions "over 60 different injection sinks". However, the spec contains: 12 occurrences of "HtmlString" 6 occurrences of "ScriptString" 12 occurrences of "ScriptUrlString" Which is below 60. https://w3c.github.io/trusted-types/dist/spec/#injection-sinks mentions `The...

mbrodesser-Igalia

Broken references in Trusted Types

While crawling [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/), the following links to other specifications were detected as pointing to non-existing anchors: * [ ] https://w3c.github.io/DOM-Parsing/#widl-Element-innerHTML * [ ] https://w3c.github.io/DOM-Parsing/#widl-Element-outerHTML * [ ] https://w3c.github.io/DOM-Parsing/#html-fragment-parsing-algorithm *...

dontcallmedom-bot

should `null` & `undefined` for sinks requiring TT be a passthrough ?

Consider the following scenario: ``` setTimeout(null, 1); ``` In a TT environment this would require `null` to be TrustedScript value. Say we define a default policy to handle such cases...

dejang

trusted-types
trusted-types copied to clipboard

Metadata

getAttributeType() needs a rewrite

There's a lack of test coverage over the namespace aspect of getPropertyType

getAttributeType and getPropertyType should default to HTML namespace, not ""

Duplication of some tests

Can we add no-op/report?

Adressing cross-document vectors comprehensively relies on "origin-policy" which is a proposal which is on hold

Ensure at least one representative of all classes of injection sinks is guarded with TT

Are all injection sinks covered by the spec?

Broken references in Trusted Types

should `null` & `undefined` for sinks requiring TT be a passthrough ?

← Metadata

Owner

Metadata

trusted-types trusted-types copied to clipboard

Metadata

← Metadata

Owner

Metadata

trusted-types
trusted-types copied to clipboard