[webkit-dev] Request for Position: Trusted Types
pgriffis at igalia.com
Tue Mar 29 10:05:40 PDT 2022
I'd like input on the Trusted Types API.
It is a set of APIs intended to protect against DOM-based XSS attacks.
It changes various APIs to not accept arbitrary strings, for example
`element.innerHTML` can only be assigned a `TrustedHTML` object. These
are also policies controllable by Content-Security-Policy.
It has been implemented by Chromium 83+ (May 2020). There is a polyfill
for everything else.
This would be a moderately large task that Igalia would consider
starting in H2 if there is consensus on this.
More information about the webkit-dev