Intent to Ship: Trusted Types spec alignment

6 views
Skip to first unread message

Chromestatus

unread,
9:50 AM (1 hour ago) 9:50 AM
to blin...@chromium.org, voge...@google.com
Contact emails
voge...@google.com

Specification
https://html.spec.whatwg.org/#:~:text=Trusted%20Types

Summary
Trusted Types (https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API) was originally implemented and launched in Chromium in 2019, and has since found use in numerous websites. It has recently gained interest from other browser vendors. The Trusted Type spec was co-written as a "monkey patch" spec along with our original implementation. It now receives fresh attention as others are trying to implement the same spec. It has now been "upstreamed" into HTML + DOM (plus a bit of CSP). As part of that process, various inconsistencies are being identified and fixed. Some of these fixes may be developer observable. This intent is to update our implementation to match the spec, as it's upstreamed into HTML. Meanwhile, WebKit has launched their implementation of the updated Trusted Types spec, which gives us high confidence that this update is highly web compatible.

Blink component
Blink>SecurityFeature>TrustedTypes

Web Feature ID
trusted-types

Motivation
The Trusted Types spec has been upstreamed into HTML, with some minor cleanups and changes. Our implementation should follow the updated spec to ensure cross-browser compatibility. Spec: https://w3c.github.io/trusted-types/dist/spec/ + https://html.spec.whatwg.org/

Initial public proposal
No information provided

TAG review
No information provided

TAG review status
Not applicable

Risks


Interoperability and Compatibility
The goal is to achieve full cross-browser interoperability. Meanwhile, both WebKit and Firefox have enabled their version -- at least in testing builds -- without any major incompatibility reports. This makes us rather confident that the compability risk is low.

Gecko: Positive (https://github.com/mozilla/standards-positions/issues/20) Firefox has enabled their version in Nightly: https://www.firefox.com/en-US/firefox/145.0a1/releasenotes/

WebKit: Support (https://github.com/WebKit/standards-positions/issues/186) WebKit has launched their version: https://developer.apple.com/documentation/safari-release-notes/safari-26-release-notes#New-Features

Web developers: Positive

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Debuggability
No information provided

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes

Is this feature fully tested by web-platform-tests?
Yes
https://wpt.fyi/results/trusted-types/

Flag name on about://flags
No information provided

Finch feature name
TrustedTypesHTML

Rollout plan
Will ship enabled for all users

Requires code in //chrome?
False

Tracking bug
https://issues.chromium.org/u/1/issues/330516530

Estimated milestones
Shipping on desktop145
Shipping on desktop145
Shipping on Android145
Shipping on Android145
Shipping on WebView145
Shipping on WebView145


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

All anticipated spec changes have landed in HTML, DOM, and CSP specs.

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5163792014245888?gate=5109165432504320

Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMLJR2%3DBqAugsavCtqSR0Z_CQOgWHjeiyzpU0crTphANQ%40mail.gmail.com


This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages