Comments (7)
Also TrustedURL.HASH
, see thread
from trusted-types.
The EMPTY constants seem fine but I'm opposed to TrustedURL.HASH. There's no reason to use #
alone as URL. It's only used to put there (usually in a.href) something that is later ignored (because the event handler stops the propagation). Anything else would work too, e.g. TrustedURL.EMPTY. Using #
and not stopping the propagation causes the page to jump to the top which is a poor experience and we shouldn't encourage that by adding a constant for #
.
from trusted-types.
Filed a request for TrustedHTML.EMPTY
at https://bugs.chromium.org/p/chromium/issues/detail?id=936436
from trusted-types.
Would a solution to issue #96 obviate this?
from trusted-types.
Would a solution to issue #96 obviate this?
I think so.
I'd lean towards making these sorts of constants not part of the standard, but rather leave it to a (reference) builder library to provide. Either as explicit symbols, or via template literals, which would allow you to write
trustedHTML``
and trustedURL`#`
.
from trusted-types.
I'm for keeping TrustedHTML.EMPTY
as part of the standard. It's an easy way to facilitate rewriting existing code that doesn't require to use policies. For example, code linters might automatically refactor the code without any side-effects (assuming some minimal polyfill exists, or the replacement tests for the existence of the property first).
from trusted-types.
The empty HTML constant was implemented in http://crbug.com/936436. Due to naming conventions and other concerns it will be available at the factory level, so currently:
const html = TrustedTypes.emptyHTML
I'll follow up with the polyfill implementation.
from trusted-types.
Related Issues (20)
- Event handler enforcement section wrong HOT 1
- [Meta] Upstream changes HOT 2
- HTML timers as specced won't work HOT 2
- Callback IDL types HOT 1
- New `script text` associated data and associated mechanisms need adding to SVGScriptElement
- "Validate the string in context" takes any value and calls "Get Trusted Type compliant string" which requires a TrustedType or a string HOT 12
- CSP sample for eval and Function HOT 4
- Get trusted type compliant attribute value sink HOT 1
- Improve test coverage of sink values HOT 1
- Check variable naming inside of getAttributeType and getPropertyType methods
- `execCommand` spec won't work HOT 7
- `createPolicy`'s permitted policy names are inconsistent with CSP's permitted policy names HOT 5
- faq.md outdated HOT 1
- Script element protection model HOT 2
- WPT for CSP header `trusted-types 'none' 'none'` missing HOT 7
- "Should Trusted Type policy creation be blocked by Content Security Policy?" passes "directive" instead of directive's name to "Create a violation object for global, policy, and directive"
- Spec / implementation mismatch with document.write/writeln HOT 8
- "Create a Trusted Type Policy" should specify the TypeError messages HOT 3
- Should SVGScriptElement have an IDL way to set a trusted script value? HOT 2
- Add WPTs for CSP `sandbox allow-scripts` combined with Trusted Types HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trusted-types.