Add Trusted Types subfeatures to various APIs #27836
Conversation
github-actions
bot
added
the
data:api
| "chrome_android": "mirror", | ||
| "edge": "mirror", | ||
| "firefox": { | ||
| "version_added": "136", |
There was a problem hiding this comment.
|
Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs). |
| "description": "Requires `TrustedScriptURL` instance when trusted types are enforced", | ||
| "support": { | ||
| "chrome": { | ||
| "version_added": "141" |
There was a problem hiding this comment.
| }, | ||
| "enforces_trusted_types": { | ||
| "__compat": { | ||
| "description": "Requires `TrustedScriptURL` instance when trusted types are enforced", |
There was a problem hiding this comment.
Note, no spec url. Spec update in w3c/svgwg#934 but seems to be no corresponding online link.
There was a problem hiding this comment.
FYI there should be a web-type but following previous direction leaving it to BCD team to update.
| "opera": "mirror", | ||
| "opera_android": "mirror", | ||
| "safari": { | ||
| "version_added": false |
There was a problem hiding this comment.
Can't find evidence for Safari. Likely is supported as it has pretty good coverage on WPT, but there is not WPT test for this.
hamishwillee
force-pushed
the
ff_trusted_types_v2
branch
from
de7ed1f to
1daa9dc
Compare
| "chrome_android": "mirror", | ||
| "edge": "mirror", | ||
| "firefox": { | ||
| "version_added": "136", |
There was a problem hiding this comment.
| "opera": "mirror", | ||
| "opera_android": "mirror", | ||
| "safari": { | ||
| "version_added": "26" |
There was a problem hiding this comment.
This is from running just one of the importScript tests (https://wpt.live/trusted-types/DedicatedWorker-importScripts.html) on the latest Safari on browserstack. The next earliest version is 18 AFAIK and it didn't run on that.
github-actions
bot
added
size:l
| "chrome_android": "mirror", | ||
| "edge": "mirror", | ||
| "firefox": { | ||
| "version_added": "136", |
There was a problem hiding this comment.
| "description": "`scriptURL` parameter requires `TrustedScriptURL` instance when trusted types are enforced", | ||
| "support": { | ||
| "chrome": { | ||
| "version_added": "140" |
There was a problem hiding this comment.
So this is from https://issues.chromium.org/issues/330516530#comment25 which LOOKs to be related. Traced that to v140 via https://chromiumdash.appspot.com/commits?commit=882e7efd3bffedad411e53beed79a2f3e8e335e9&platform=Android
Note, the tests https://wpt.live/trusted-types/ (that include register) pass for many versions, so are not a good indicator of support
| "opera": "mirror", | ||
| "opera_android": "mirror", | ||
| "safari": { | ||
| "version_added": "26" |
There was a problem hiding this comment.
This is the first version on browserstack that understands trusted types (at all). It passes the register tests in https://wpt.live/trusted-types/ but as above I don't have great faith in these.
github-actions
bot
added
the
data:http
| "firefox": { | ||
| "version_added": false, | ||
| "impl_url": "https://bugzil.la/1508286" | ||
| "version_added": "138", |
There was a problem hiding this comment.
| "firefox": { | ||
| "version_added": false, | ||
| "impl_url": "https://bugzil.la/1508286" | ||
| "version_added": "135", |
There was a problem hiding this comment.
This is require-trusted-types-for.
This was implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1905678 but as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1905678#c1 this is "honored" in a number of other issues. The first of those is https://bugzilla.mozilla.org/show_bug.cgi?id=1905706 which delivered in 135.
Technically this is a partial implementation since enforcement will not enforce everything. But that has more to do with the things to be enforced still rolling out. Since at the end it will all be implemented, I think it makes sense to treat this part of the story (the directive) as fully implemented behind flag.
Co-authored-by: Claas Augner <[email protected]>
|
Thanks. Trust your research more than mine. |
caugner
changed the title
This adds Trusted Type info for a number of API. I am working of Firefox. Where possible I have attempted to determine Chrome and Safari data. Where not found I have marked as false. Supporting data for each case linked inline.
APIs added
SVGAnimatedString.baseVal- TrustedScriptURLWorkerGlobalScope.importScripts()- TrustedScriptURLServiceWorkerContainer.register()- TrustedScriptURLContent-Security-Policy: trusted-types- support for setting the allowed trusted type policy names