Add a function to each "Trusted Type" to create an instance from a JavaScript template literal (but not from a dynamically computed string). This makes it easy to mark literals in the JavaScript source text as "trusted". Example:
const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`;
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No.
It's a new method. Its use can be readily debugged in DevTools.
108
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/641cfa76-9c2d-4521-ad8a-1d61a272cca5n%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_ZrvsEszkc8P0WVe%2BO_ffjQjjnBAssThM9OD1LL6ci8A%40mail.gmail.com.
Contact emails
voge...@chromium.orgSpecification
https://w3c.github.io/trusted-types/dist/spec/#trusted-htmlSummary
Add a function to each "Trusted Type" to create an instance from a JavaScript template literal (but not from a dynamically computed string). This makes it easy to mark literals in the JavaScript source text as "trusted". Example:
const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`;
Blink component
Blink>SecurityFeature>TrustedTypesTAG review
n/aTAG review status
Not applicableRisks
Interoperability and Compatibility
Gecko: No signal. (Gecko has not implemented Trusted Types.)
WebKit: No signal. (WebKit has not implemented Trusted Types.)
Web developers: Positive (https://github.com/w3c/trusted-types/issues/347)
Other signals:WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No.
Debuggability
It's a new method. Its use can be readily debugged in DevTools.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
YesIs this feature fully tested by web-platform-tests?
YesFlag name
TrustedTypesFromLiteralRequires code in //chrome?
FalseTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1271149Estimated milestones
108
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6551852775112704
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMW%2BtvbM8eAxv5HJC0JW192EWSX_VmE7Yugta5Z5G-nXg%40mail.gmail.com.
This seems like a pretty minor and uncontroversial extension to trusted types to me. But it also seems like a good time to just check-in on the state of discussion around TrustedTypes with other vendors.
Also, can you please share the wpt.fyi link for the tests for this feature?
On Thu, Sep 29, 2022 at 4:34 PM 'Daniel Vogelheim' via blink-dev <blin...@chromium.org> wrote:Contact emails
voge...@chromium.orgSpecification
https://w3c.github.io/trusted-types/dist/spec/#trusted-htmlSummary
Add a function to each "Trusted Type" to create an instance from a JavaScript template literal (but not from a dynamically computed string). This makes it easy to mark literals in the JavaScript source text as "trusted". Example:
const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`;
Blink component
Blink>SecurityFeature>TrustedTypesTAG review
n/aTAG review status
Not applicableRisks
Interoperability and Compatibility
Gecko: No signal. (Gecko has not implemented Trusted Types.)
WebKit: No signal. (WebKit has not implemented Trusted Types.)
Web developers: Positive (https://github.com/w3c/trusted-types/issues/347)Can you point out specific signals in that thread that should be counted as web developer ones?
Apologies this took a while, but the explainer bit has now landed here: https://github.com/w3c/trusted-types/blob/main/explainer.md#source-literals
Thanks!!On Friday, October 21, 2022 at 11:30:22 AM UTC+2 Daniel Vogelheim wrote:Apologies this took a while, but the explainer bit has now landed here: https://github.com/w3c/trusted-types/blob/main/explainer.md#source-literalsI'm guessing that "const value = TrustedHTML.fromLiteral`<b>Hello there ${user_provided_name}</b>`;" will throw as well, right?
LGTM2
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bdeba401-3282-4ae6-a85f-689653eb4490n%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9607f879-a78b-0d94-5ef2-81c0cf4ffc43%40gmail.com.