xtofian

I see your point about not encouraging diverging code paths depending on whether TT are enforced. However, I do think we need a way for application startup code to reliably...

FWIW, one could presumably check whether or not any policy is enabled as follows, right? ``` 'TrustedTypes' in window && TrustedTypes.getPolicyNames().length > 0 ```

I'm not sure ``` node.innerHTML = useFallback ? TrustedTypes.getExposedPolicy('fallback').createHTML(foo) : foo; ``` makes all that much sense. `useFallback` is true _iff_ a fallback policy is defined. In which case, ```...

But doesn't the `node.innerHTML = useFallback ? ... : foo` also become vulnerable if policies are not enforced? If they're not enforced, `useFallback` is false (because if polcies are not...

Ah, now I get it. Ok, that makes sense. In practice, one would wrap the RHS into a function to avoid the clutter all over the app. Perhaps a reference...

BTW, if fallback policies are enabled, `try { e.href = 'boo'; }` is not terribly easy to use as a way of detecting enforcement, since the assignment won't actually throw....

I'm afraid I lost track of this -- very sorry for taking so long to respond! I've added `(org-with-wide-buffer (goto-char marker) ...)`, is that what you had in mind? Out...