[webkit-dev] Request for Position: Trusted Types
Patrick Griffis
pgriffis at igalia.com
Tue Mar 29 10:05:40 PDT 2022
Hi everybody,
I'd like input on the Trusted Types API[0].
It is a set of APIs intended to protect against DOM-based XSS attacks.
It changes various APIs to not accept arbitrary strings, for example
`element.innerHTML` can only be assigned a `TrustedHTML` object. These
are also policies controllable by Content-Security-Policy[1].
It has been implemented by Chromium 83+ (May 2020). There is a polyfill
for everything else[2].
This would be a moderately large task that Igalia would consider
starting in H2 if there is consensus on this.
Thanks,
Patrick
[0] https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
[1]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types#browser_compatibility
[2] https://github.com/w3c/webappsec-trusted-types#polyfill
More information about the webkit-dev
mailing list