trusted-types

trusted-types copied to clipboard

CSP sample for eval and Function

4

This issue is to discuss the exact specifics of the CSP violation sample. Chrome currently has some oddly specific behaviour which isn't specced. `eval('alert(1)');` -> `eval|alert(1)` - This direct eval...

lukewarlow

Seeking Trusted Types feedback on Array.isTemplateObject

5

TC39 recently discussed Array.isTemplateObject, a feature to enable TT to allow literal HTML/JS strings. See the notes at https://github.com/tc39/notes/blob/main/meetings/2024-04/april-10.md#arrayistemplateobject-next-steps The committee wanted to ask the Trusted Types experts: Do you...

littledan

This is needed by https://github.com/w3c/webappsec-csp/pull/665 *** Preview | Diff

lukewarlow

Should all 3 script IDL setters change the associated script text value identically

11

A good point came up during code review of an associated webkit patch that the .innerText setter steps and the .textContent/.text setter steps are different, and presumably could result in...

lukewarlow

[Meta] Upstream changes

2

This issue will track PRs to upstream changes to other specs.

lukewarlow

Add WPTs for CSP `sandbox allow-scripts` combined with Trusted Types

2

https://w3c.github.io/webappsec-csp/#directive-sandbox The `sandbox` directive is ignored when delivered via a `` tag.

mbrodesser-Igalia

Check variable naming inside of getAttributeType and getPropertyType methods

2

See https://github.com/WebKit/WebKit/pull/26552#issuecomment-2025243333 for context but TLDR make sure these two functions have parameters and variables named coherently.

lukewarlow

`createPolicy`'s permitted policy names are inconsistent with CSP's permitted policy names

5

https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy has no restrictions on the policy name, https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive has. E.g. `trustedTypes.createPolicy("$")` is supported and `trusted-types $` not. https://github.com/w3c/trusted-types/issues/466 is a special case of this.

mbrodesser-Igalia

Should SVGScriptElement have an IDL way to set a trusted script value?

2

Currently I don't believe there's any sanctioned way to update the contents of an SVG script element (assuming https://github.com/w3c/trusted-types/issues/483 is done so the protection covers them too). The spec says...

lukewarlow

"Create a Trusted Type Policy" should specify the TypeError messages

3

https://searchfox.org/mozilla-central/rev/0916ef0172ce5b2a72749b659da8ad95f637ef42/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-nameTests.html#38 requires that. https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-create-a-trusted-type-policy currently not.

mbrodesser-Igalia