html icon indicating copy to clipboard operation
html copied to clipboard

Update Trusted Types enforcement for document.write/writeln

Open lukewarlow opened this issue 1 year ago • 6 comments

Update Trusted Types enforcement for document.write/writeln

This changes from using HTMLString to a TrustedHTML or DOMString union.

This also changes the timing of the default policy call.

  • [x] At least two implementers are interested (and none opposed):
    • Gecko https://github.com/mozilla/standards-positions/issues/20
    • Chromium (https://github.com/whatwg/html/pull/10328#issuecomment-2098940049)
  • [x] Tests are written and can be reviewed and commented upon at:
    • https://github.com/web-platform-tests/wpt/pull/46141
    • https://github.com/web-platform-tests/wpt/blob/91e42694d29c23fbc075e7c89af3c23d53101dd0/trusted-types/Document-write-exception-order.xhtml
  • [x] Implementation bugs are filed:
    • Chromium: https://issues.chromium.org/issues/339317628
    • Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1508286 (general meta bug)
    • WebKit: https://bugs.webkit.org/show_bug.cgi?id=273819
  • [ ] MDN issue is filed: …
  • [x] The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)


/dom.html ( diff ) /dynamic-markup-insertion.html ( diff ) /infrastructure.html ( diff )

lukewarlow avatar May 07 '24 12:05 lukewarlow

One thing to note is that the behaviour difference for default policy call is actually aligning with the shipping implementation (Chromium)

lukewarlow avatar May 07 '24 12:05 lukewarlow

Thanks for the reviews so far hopefully it's looking like you expect now. Definitely cleaner than the first draft.

lukewarlow avatar May 07 '24 14:05 lukewarlow

Thanks! We're happy with this, too.

otherdaniel avatar May 07 '24 17:05 otherdaniel

@annevk am I okay to say this has webkit implementor interest?

The webkit pr itself is being merged but I can do follow ups to change it. Mainly want it in to move away from the IDL attribute.

lukewarlow avatar May 08 '24 09:05 lukewarlow

I think the deduplication still needs to happen.

As for implementer interest, it's a bit tricky. WebKit hasn't established a position as of yet in part due to the many outstanding issues with Trusted Types. This refactoring on its own seems okay, but I would not want that to be taken as WebKit being okay with it in general.

annevk avatar May 08 '24 12:05 annevk

I've refactored this to move things into the document write steps.

lukewarlow avatar May 09 '24 13:05 lukewarlow

No need for any change to MDN here as far as I can tell. Everything seems in order, so merging.

zcorpan avatar May 28 '24 22:05 zcorpan