Intent to Implement and Ship: Trusted Types fromLiteral

Skip to first unread message

Daniel Vogelheim

Sep 29, 2022, 2:34:16 PM9/29/22
to blink-dev

Contact emails



Add a function to each "Trusted Type" to create an instance from a JavaScript template literal (but not from a dynamically computed string). This makes it easy to mark literals in the JavaScript source text as "trusted". Example:

const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`;

Blink component


TAG review


TAG review status

Not applicable


Interoperability and Compatibility

Gecko: No signal. (Gecko has not implemented Trusted Types.)

WebKit: No signal. (WebKit has not implemented Trusted Types.)

Web developers: Positive (

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No.


It's a new method. Its use can be readily debugged in DevTools.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?


Is this feature fully tested by web-platform-tests?


Flag name


Requires code in //chrome?


Tracking bug

Estimated milestones


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

Link to entry on the Chrome Platform Status

Jun Kokatsu

Sep 29, 2022, 4:46:07 PM9/29/22
to blink-dev, Daniel Vogelheim
This is awesome! Thank you for working on this Daniel!


Jakub Vrána

Oct 3, 2022, 2:55:38 PM10/3/22
to blink-dev, Jun Kokatsu, Daniel Vogelheim
From a practical standpoint, it would be better if the methods are named e.g. htmlLiteral, scriptLiteral and scriptUrlLiteral. Having the same methods in all three types makes it impossible to import just that method (or then it's not descriptive and collides if you import more). Writing TrustedScriptURL.fromLiteral`/` is quite mouthful.

Dne čtvrtek 29. září 2022 v 18:46:07 UTC+2 uživatel Jun Kokatsu napsal:

Domenic Denicola

Oct 4, 2022, 1:02:02 AM10/4/22
to Jakub Vrána, blink-dev, Jun Kokatsu, Daniel Vogelheim
You can import and rename at the same time using standard JavaScript syntax:

const htmlLiteral = TrustedHTML.fromLiteral;


You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

Rick Byers

Oct 4, 2022, 3:40:17 PM10/4/22
to Domenic Denicola, Jakub Vrána, blink-dev, Jun Kokatsu, Daniel Vogelheim
This seems like a pretty minor and uncontroversial extension to trusted types to me. But it also seems like a good time to just check-in on the state of discussion around TrustedTypes with other vendors.

I see Mozilla has a "neutral" status saying they're not sure about utility. Is this UseCounter accurate in saying that in Chrome >10% of page loads are on pages which have explicitly enabled the enforcement of trusted types? I don't think it needs to block this intent, but could you update the Mozilla standards position with current evidence we have on the value TrustedTypes is providing some major partners who have opted in? If it's accurate, the high usage alone seems to counter the "lack of utility" argument to me, but perhaps we can do even better now? Eg. are there any anecdotes of security issues being caught as a result? Are we aware of any cases where users were exposed to attack in browsers using other engines but protected on Chromium?

It looks like nobody ever replied to the request for position from WebKit. Maybe worth filing a request in their new tracker so we have a better record of it?

Also, can you please share the link for the tests for this feature?


Rick Byers

Oct 4, 2022, 3:57:11 PM10/4/22
to Domenic Denicola, Jakub Vrána, blink-dev, Jun Kokatsu, Daniel Vogelheim
Oh, I should also add that I reviewed the TAG design review of trusted types. It sounds like TAG was only able to provide feedback on the high-level design, not API-by-API detail, so I suspect TAG wouldn't find value in spending time on this one minor addition. Others may disagree though.


Yoav Weiss

Oct 5, 2022, 9:52:59 AM10/5/22
to Daniel Vogelheim, blink-dev
On Thu, Sep 29, 2022 at 4:34 PM 'Daniel Vogelheim' via blink-dev <> wrote:

Contact emails



Add a function to each "Trusted Type" to create an instance from a JavaScript template literal (but not from a dynamically computed string). This makes it easy to mark literals in the JavaScript source text as "trusted". Example:

const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`;

Blink component


TAG review


TAG review status

Not applicable


Interoperability and Compatibility

Gecko: No signal. (Gecko has not implemented Trusted Types.)

WebKit: No signal. (WebKit has not implemented Trusted Types.)

Web developers: Positive (

Can you point out specific signals in that thread that should be counted as web developer ones?

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No.


It's a new method. Its use can be readily debugged in DevTools.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?


Is this feature fully tested by web-platform-tests?


Flag name


Requires code in //chrome?


Tracking bug

Estimated milestones


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

Link to entry on the Chrome Platform Status

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to

Yoav Weiss

Oct 5, 2022, 9:56:11 AM10/5/22
to Daniel Vogelheim, blink-dev
Could you also update the explainer to also cover these new methods and how developers would use them?

Daniel Vogelheim

Oct 6, 2022, 5:08:40 PM10/6/22
to Rick Byers, Domenic Denicola, Jakub Vrána, blink-dev, Jun Kokatsu
Hi Rick,

On Tue, Oct 4, 2022 at 5:40 PM Rick Byers <> wrote:
This seems like a pretty minor and uncontroversial extension to trusted types to me. But it also seems like a good time to just check-in on the state of discussion around TrustedTypes with other vendors.

Our most recent check-ins are a March 2022 WebAppSec meeting, where Facebook, Microsoft, and Google reported about their Trusted Types deployments & result, and a mid-2021 Trusted Types "state of the union" report, also shared and discussed with the W3C WebAppSec community group. These also discuss results, e.g. the former: "[Number] of XSS [reported at Google] halved in 2020 and 2021. 0 DOM XSS in all TT applications".

I certainly think we should keep these discussions going, but I'm a bit afraid of over-doing it. Also, we don't really have new results since those meetings.

Also, can you please share the link for the tests for this feature?

The change is a single CL, and I didn't want to land it before having lgtm for shipping. Thus the tests aren't in yet. The tests in the CL are here (plus a few modifications to other tests.)

If it's important that the tests are in for the API owners' review, I'll be happy to use a feature flag to land this default-off, wait for API owners' lgtm, and then enable it separately.

Jun Kokatsu

Oct 6, 2022, 5:19:20 PM10/6/22
to blink-dev,, blink-dev, Daniel Vogelheim
On Wednesday, October 5, 2022 at 2:52:59 AM UTC-7 wrote:
On Thu, Sep 29, 2022 at 4:34 PM 'Daniel Vogelheim' via blink-dev <> wrote:

Contact emails



Add a function to each "Trusted Type" to create an instance from a JavaScript template literal (but not from a dynamically computed string). This makes it easy to mark literals in the JavaScript source text as "trusted". Example:

const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`;

Blink component


TAG review


TAG review status

Not applicable


Interoperability and Compatibility

Gecko: No signal. (Gecko has not implemented Trusted Types.)

WebKit: No signal. (WebKit has not implemented Trusted Types.)

Web developers: Positive (

Can you point out specific signals in that thread that should be counted as web developer ones?
It's little hard to tell, but that issue was a feature request from a developer (i.e. me).
At the time, I was working in Microsoft where I worked with Bing team to deploy Trusted Types in some of their products, and that was a request that I made.

Yoav Weiss

Oct 19, 2022, 3:34:29 PM10/19/22
to blink-dev, Jun Kokatsu, Yoav Weiss, blink-dev, Daniel Vogelheim
Friendly ping on an explainer update :)

Daniel Vogelheim

Oct 21, 2022, 9:30:22 AM10/21/22
to Yoav Weiss, blink-dev
Apologies this took a while, but the explainer bit has now landed here: 

Yoav Weiss

Oct 25, 2022, 9:03:20 AM10/25/22
to blink-dev, Daniel Vogelheim, blink-dev, Yoav Weiss

On Friday, October 21, 2022 at 11:30:22 AM UTC+2 Daniel Vogelheim wrote:
Apologies this took a while, but the explainer bit has now landed here: 

I'm guessing that "const value = TrustedHTML.fromLiteral`<b>Hello there ${user_provided_name}</b>`;" will throw as well, right?

Daniel Vogelheim

Oct 25, 2022, 11:38:46 AM10/25/22
to Yoav Weiss, blink-dev
On Tue, Oct 25, 2022 at 11:03 AM Yoav Weiss <> wrote:

On Friday, October 21, 2022 at 11:30:22 AM UTC+2 Daniel Vogelheim wrote:
Apologies this took a while, but the explainer bit has now landed here: 

I'm guessing that "const value = TrustedHTML.fromLiteral`<b>Hello there ${user_provided_name}</b>`;" will throw as well, right?

I proposed improved wording for the explainer, but kept it very brief to keep it within the spirit of an explainer.

Daniel Vogelheim

Oct 25, 2022, 1:03:07 PM10/25/22
to Yoav Weiss, blink-dev
Update: I pushed the release target out to 109, so we'll have more time to sort this out.

Yoav Weiss

Oct 26, 2022, 3:34:25 PM10/26/22
to blink-dev, Daniel Vogelheim, blink-dev, Yoav Weiss

Thanks for explainer and extra explanations!!

Daniel Bratell

Oct 26, 2022, 3:35:40 PM10/26/22
to Yoav Weiss, blink-dev, Daniel Vogelheim

Chris Harrelson

Oct 26, 2022, 4:09:53 PM10/26/22
to Daniel Bratell, Yoav Weiss, blink-dev, Daniel Vogelheim
Reply all
Reply to author
0 new messages