Create commonly used and harmless constants like TrustedHTML.EMPTY about trusted-types HOT 7 CLOSED

Also TrustedURL.HASH, see thread

from trusted-types.

The EMPTY constants seem fine but I'm opposed to TrustedURL.HASH. There's no reason to use # alone as URL. It's only used to put there (usually in a.href) something that is later ignored (because the event handler stops the propagation). Anything else would work too, e.g. TrustedURL.EMPTY. Using # and not stopping the propagation causes the page to jump to the top which is a poor experience and we shouldn't encourage that by adding a constant for #.

from trusted-types.

Filed a request for TrustedHTML.EMPTY at https://bugs.chromium.org/p/chromium/issues/detail?id=936436

from trusted-types.

Would a solution to issue #96 obviate this?

from trusted-types.

Would a solution to issue #96 obviate this?

I think so.

I'd lean towards making these sorts of constants not part of the standard, but rather leave it to a (reference) builder library to provide. Either as explicit symbols, or via template literals, which would allow you to write
trustedHTML`` and trustedURL`#`.

from trusted-types.

I'm for keeping TrustedHTML.EMPTY as part of the standard. It's an easy way to facilitate rewriting existing code that doesn't require to use policies. For example, code linters might automatically refactor the code without any side-effects (assuming some minimal polyfill exists, or the replacement tests for the existence of the property first).

from trusted-types.

The empty HTML constant was implemented in http://crbug.com/936436. Due to naming conventions and other concerns it will be available at the factory level, so currently:

const html = TrustedTypes.emptyHTML

(tests at https://github.com/web-platform-tests/wpt/blob/master/trusted-types/TrustedTypePolicyFactory-constants.tentative.html).

I'll follow up with the polyfill implementation.

from trusted-types.