trusted-types
trusted-types copied to clipboard
w3c
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
Like https://github.com/whatwg/html/blob/main/PULL_REQUEST_TEMPLATE.md. Helps to keep track of WPTs, implementations and MDN.
https://w3c.github.io/trusted-types/dist/spec/#webidl-integration - mentions this PR (https://github.com/whatwg/webidl/pull/841) There's mismatches between what's in this spec and that spec PR. It would be good if that WebIDL spec PR could be updated with...
This issue is here to track the specific spec mechanism for protecting against a script that's edited mid-parse. To avoid needing to look all over here's a summary. As of...
Currently getPropertyType's spec and both Chromium and WebKit's implementation has no handling of the .href.baseVal property of an SVGScriptElement, but it does require a TrustedScriptURL. cc @koto what should we...
As of #457 the spec uses the HTML "event handler content attribute" concept. Anne's feedback was that that was ambiguous and we should instead generate a fixed list to check...
E.g. `createPolicy("X");` with `trusted-types 'none'`". https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy doesn't set the violation's `element`. Hence https://w3c.github.io/webappsec-csp/#report-violation step 3.2 sets target to the document. Step 3.3 fires the event. CC @lukewarlow, @otherdaniel
Related #472 *** Preview | Diff
There are some for Window (https://searchfox.org/mozilla-central/search?q=report-uri&path=tests%2Ftrusted-types%2F&case=true®exp=false), not for Workers (https://searchfox.org/mozilla-central/search?q=Worker&path=tests%2Ftrusted-types%2F&case=true®exp=false).