Ff145 Trusted Types follow on #28350
Conversation
github-actions
bot
added
data:api
|
Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs). |
| "deprecated": true | ||
| } | ||
| }, | ||
| "enforces_trusted_types": { |
There was a problem hiding this comment.
- Note, in this case of
insertHTMLI have created insertHTML feature first and then nested thisenforces_trusted_types- My reasoning is that this only affects insertHTML and there are a lot of other options. We could instead put this as same level as the parent feature if you prefer and in description:
insertHTML() requires ...
- My reasoning is that this only affects insertHTML and there are a lot of other options. We could instead put this as same level as the parent feature if you prefer and in description:
- Tested on browserstack using https://wpt.live/trusted-types/block-Document-execCommand.html
| "deprecated": false | ||
| } | ||
| }, | ||
| "enforces_trusted_types": { |
There was a problem hiding this comment.
Versions tested using https://wpt.live/trusted-types/block-string-assignment-to-Element-setAttribute.html
The description is overly long. If you follow the spec https://wpt.live/trusted-types/block-string-assignment-to-Element-setAttributeNS.html you see that https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-data-for-attribute%E2%91%A0 which shows that this applies to
Element Attribute namespace Attribute local name TrustedType Sink
HTMLIFrameElement null "srcdoc" TrustedHTML "HTMLIFrameElement srcdoc"
HTMLScriptElement null "src" TrustedScriptURL "HTMLScriptElement src"
SVGScriptElement null "href" TrustedScriptURL "SVGScriptElement href"
SVGScriptElement XLink namespace "href" TrustedScriptURL "SVGScriptElement href"
For the NS case I tried a different description
"
valueparameter requiresTrustedHTML,TrustedScript, orTrustedScriptURLinstance when trusted types enforced (matching attribute type)",
What I'm trying to do is find a shorter string that captures "the TT enforced if setting attribute directly on the equivalent property would be enforced".
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "`value` parameter requires `TrustedHTML`, `TrustedScript`, or `TrustedScriptURL` instance when trusted types enforced (matching attribute type)", |
There was a problem hiding this comment.
Testing using https://wpt.live/trusted-types/block-string-assignment-to-Element-setAttributeNS.html
Note that while the spec seems to point to the same place as the non NS version ( See https://github.com/mdn/browser-compat-data/pull/28350/files#r2485142295 ) the test is different. This might therefore be wrong. I'm asking in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941#c10
There was a problem hiding this comment.
| "description": "`value` parameter requires `TrustedHTML`, `TrustedScript`, or `TrustedScriptURL` instance when trusted types enforced (matching attribute type)", | |
| "description": "Requires `value` parameter to be `TrustedHTML`, `TrustedScript`, or `TrustedScriptURL` instance when trusted types enforced (matching attribute type)", |
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "`url` parameter requires `TrustedScriptURL` instance when trusted types are enforced", |
There was a problem hiding this comment.
Tested with https://wpt.live/trusted-types/DedicatedWorker-constructor-from-DedicatedWorker.html - yes, I know this is dedicated worker, I'm assuming they are the same
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "`url` parameter requires `TrustedScriptURL` instance when trusted types are enforced", |
There was a problem hiding this comment.
Tested with https://wpt.live/trusted-types/DedicatedWorker-constructor-from-DedicatedWorker.html
Note, I didn't nest this as a property of an URL sub feature. WOuld you prefer that? Ditto for the SharedWorker
There was a problem hiding this comment.
| "description": "`url` parameter requires `TrustedScriptURL` instance when trusted types are enforced", | |
| "description": "Requires `url` parameter to be `TrustedScriptURL` instance when trusted types are enforced", |
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "Arguments require `TrustedScript` instance when trusted types are enforced", |
There was a problem hiding this comment.
There was a problem hiding this comment.
| "description": "Arguments require `TrustedScript` instance when trusted types are enforced", | |
| "description": "Requires arguments to be `TrustedScript` instance when trusted types are enforced", |
| "version_added": "1", | ||
| "version_removed": "69", | ||
| "partial_implementation": true, | ||
| "notes": "Only supported for [`HTMLDocument`](https://developer.mozilla.org/docs/Web/API/HTMLDocument), not all `Document` objects." |
There was a problem hiding this comment.
Is there a bug that captures generalizing the implementation for all Document objects?
| "standard_track": false, | ||
| "deprecated": true |
There was a problem hiding this comment.
Is this really deprecated? Should it not be:
| "standard_track": false, | |
| "deprecated": true | |
| "standard_track": true, | |
| "deprecated": false |
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "When trusted types are enforced `value` parameter requires `TrustedHTML` instance for `iframe.srcdoc` and `TrustedScriptURL` for HTML `script.src` and SVG `script.href`", |
There was a problem hiding this comment.
| "description": "When trusted types are enforced `value` parameter requires `TrustedHTML` instance for `iframe.srcdoc` and `TrustedScriptURL` for HTML `script.src` and SVG `script.href`", | |
| "description": "Requires `value` parameter to be `TrustedHTML` instance (for `iframe.srcdoc`), or `TrustedScriptURL` (for HTML `script.src`, and SVG `script.href`) when trusted types are enforced", |
| "status": { | ||
| "experimental": false, | ||
| "standard_track": true, | ||
| "deprecated": true |
There was a problem hiding this comment.
Same:
| "deprecated": true | |
| "deprecated": false |
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "`value` parameter requires `TrustedHTML`, `TrustedScript`, or `TrustedScriptURL` instance when trusted types enforced (matching attribute type)", |
There was a problem hiding this comment.
| "description": "`value` parameter requires `TrustedHTML`, `TrustedScript`, or `TrustedScriptURL` instance when trusted types enforced (matching attribute type)", | |
| "description": "Requires `value` parameter to be `TrustedHTML`, `TrustedScript`, or `TrustedScriptURL` instance when trusted types enforced (matching attribute type)", |
| "status": { | ||
| "experimental": false, | ||
| "standard_track": true, | ||
| "deprecated": true |
There was a problem hiding this comment.
| "deprecated": true |
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "`url` parameter requires `TrustedScriptURL` instance when trusted types are enforced", |
There was a problem hiding this comment.
| "description": "`url` parameter requires `TrustedScriptURL` instance when trusted types are enforced", | |
| "description": "Requires `url` parameter to be `TrustedScriptURL` instance when trusted types are enforced", |
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "Arguments require `TrustedScript` instance when trusted types are enforced", |
There was a problem hiding this comment.
| "description": "Arguments require `TrustedScript` instance when trusted types are enforced", | |
| "description": "Requires arguments to be `TrustedScript` instance when trusted types are enforced", |
| "standard_track": false, | ||
| "deprecated": true |
There was a problem hiding this comment.
Isn't this standard track? (And if yes, what spec URL could we set?)
| "standard_track": false, | |
| "deprecated": true | |
| "standard_track": true, | |
| "deprecated": false |
2 participants
This follows #28302 with updates for a few more trusted type injection sinks. These originate from a big list generated here:
w3c/trusted-types#494 (comment)
Firefox supports these. I have marked up how I tested them inline.
Related docs work can be tracked in #41507
FYI only - Note these things are the ones in wpt that I have added because they are standard. There are still some non standard ones I have chosen NOT to cover these yet because FF doesn't support them, they might be reverted or accepted, and I don't have time in this release cycle.