Intent to Prototype: Trusted Types spec alignment

230 views
Skip to first unread message

Daniel Vogelheim

unread,
May 13, 2024, 12:21:00 PMMay 13
to blink-dev

Contact emails

voge...@chromium.org

Specification

https://html.spec.whatwg.org/#:~:text=Trusted%20Types

Summary

Trusted Types was implemented and launched in Chromium in 2019, and has since found use in numerous websites. It has recently gained interest from other browser vendors. The Trusted Type spec was co-written as a "monkey patch" spec along with our original implementation. It now receives fresh attention as others are trying to implement the same spec, and we are trying to integrate the spec into HTML. As part of that process various inconsistencies are being identified and fixed. Some of these fixes may be developer observable. This intent is to update our implementation to match the spec, as it's upstreamed into HTML.


Blink component

Blink>SecurityFeature>TrustedTypes

Motivation

The Trusted Types spec is being upstreamed into HTML. Our implementation should follow the updated spec to ensure cross-browser compatibility. Spec: - https://w3c.github.io/trusted-types/dist/spec/ - PRs against HTML: https://github.com/whatwg/html/pulls?q=is%3Apr+%22Trusted+Types%22+author%3Alukewarlow+ - The TT-related changes to HTML are not confined to a single section, so the spec link above is a little arbitrary.


Risks

Interoperability and Compatibility

The goal is to achieve full cross-browser interoperability. Some changes may affect backwards compatibility with our current implementation. For example, the change https://github.com/w3c/trusted-types/pull/498 is chiefly about the spec mechanism, but may change _when_ the Trusted Types checks are run. This could be developer observable, e.g. when a method has multiple reasons to throw an error then the order of checks defines which exception is thrown.


Gecko: Positive (https://github.com/mozilla/standards-positions/issues/20)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/186) Implementation work seems to be ongoing: https://github.com/WebKit/WebKit/pulls?q=is%3Apr+%22trusted+types%22

Web developers: Positive

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None


Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/trusted-types/


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5163792014245888

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages