Intent to ship: Trusted Types
301 views
Skip to first unread message
Frédéric Wang
Dec 9, 2025, 5:42:56 AMDec 9
to dev-pl...@mozilla.org
As of Firefox 148, I intend to turn Trusted Types on by default on all
platforms. It has been developed behind the
dom.security.trusted_types.enabled preference. Status in other browsers
is shipped since Chromium 83 (but see some notes below) and Safari 26.
Bug to turn on by default:
https://bugzilla.mozilla.org/show_bug.cgi?id=1994690
Standards: https://w3c.github.io/trusted-types/,
https://w3c.github.io/webappsec-csp/ https://html.spec.whatwg.org/,
https://dom.spec.whatwg.org/ and https://tc39.es/ecma262/
This feature was previously discussed in this "Intent to prototype"
thread:
https://groups.google.com/a/mozilla.org/g/dev-platform/c/zQaRDA68e5A/m/XX_CRC4mAQAJ
Since then, there has been some adjustments in the spec (bug 1997521)
and WPT tests, but we still have the best score of all browsers
(https://wpt.fyi/results/trusted-types?label=experimental&label=master&aligned).
The TrustedTypes spec had diverged a lot from Chromium's initial
implementation. Chromium's WPT score was much lower than WebKit/Firefox,
causing interop concerns. However per
https://groups.google.com/a/chromium.org/g/blink-dev/c/OjQXhCZiXe0/m/VW2bMfeoCgAJ
; they plan to ship it in Chromium 145 (Feb 10). So if their plan goes
as expected, that would be before Firefox 148 (Feb 24).
Since we enabled TrustedTypes in Firefox Nightly, there was only one
serious regression reported (involving an already known TODO) and it has
finally been fixed now. For more details, see bug 1997818 and bug 2001929.
Initially, we intended to go through Origin Trials for Trusted Types
(bug 1991658) but due to some technical limitations with our Origin
Trials implementation (bug 1757935) we decided to skip that. Instead, we
relied on the fact that no TT serious issues were reported to us
(Igalia) regarding:
1) TrustedTypes enabled in Firefox early beta (
https://bugzilla.mozilla.org/show_bug.cgi?id=1992941 )
2) TrustedTypes enabled in Safari 26, which had similar alignment with
the latest TrustedTypes spec.
3) Google experimenting their products with Firefox + TrustedTypes enabled.
That gives us more confidence to go ahead with shipping TrustedTypes in
Firefox.
platforms. It has been developed behind the
dom.security.trusted_types.enabled preference. Status in other browsers
is shipped since Chromium 83 (but see some notes below) and Safari 26.
Bug to turn on by default:
https://bugzilla.mozilla.org/show_bug.cgi?id=1994690
Standards: https://w3c.github.io/trusted-types/,
https://w3c.github.io/webappsec-csp/ https://html.spec.whatwg.org/,
https://dom.spec.whatwg.org/ and https://tc39.es/ecma262/
This feature was previously discussed in this "Intent to prototype"
thread:
https://groups.google.com/a/mozilla.org/g/dev-platform/c/zQaRDA68e5A/m/XX_CRC4mAQAJ
Since then, there has been some adjustments in the spec (bug 1997521)
and WPT tests, but we still have the best score of all browsers
(https://wpt.fyi/results/trusted-types?label=experimental&label=master&aligned).
The TrustedTypes spec had diverged a lot from Chromium's initial
implementation. Chromium's WPT score was much lower than WebKit/Firefox,
causing interop concerns. However per
https://groups.google.com/a/chromium.org/g/blink-dev/c/OjQXhCZiXe0/m/VW2bMfeoCgAJ
; they plan to ship it in Chromium 145 (Feb 10). So if their plan goes
as expected, that would be before Firefox 148 (Feb 24).
Since we enabled TrustedTypes in Firefox Nightly, there was only one
serious regression reported (involving an already known TODO) and it has
finally been fixed now. For more details, see bug 1997818 and bug 2001929.
Initially, we intended to go through Origin Trials for Trusted Types
(bug 1991658) but due to some technical limitations with our Origin
Trials implementation (bug 1757935) we decided to skip that. Instead, we
relied on the fact that no TT serious issues were reported to us
(Igalia) regarding:
1) TrustedTypes enabled in Firefox early beta (
https://bugzilla.mozilla.org/show_bug.cgi?id=1992941 )
2) TrustedTypes enabled in Safari 26, which had similar alignment with
the latest TrustedTypes spec.
3) Google experimenting their products with Firefox + TrustedTypes enabled.
That gives us more confidence to go ahead with shipping TrustedTypes in
Firefox.
Erich Gubler
Dec 9, 2025, 12:20:44 PMDec 9
to Frédéric Wang, dev-pl...@mozilla.org
https://w3c.github.io/trusted-types doesn't work for me. Is it expected that the content for it is up yet?
--
You received this message because you are subscribed to the Google Groups "dev-pl...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-platform...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/a3413941-75fd-402c-a6e1-c74e728ff914%40igalia.com.
Message has been deleted
Frédéric Wang
Dec 10, 2025, 1:00:55 AMDec 10
to dev-pl...@mozilla.org
Mathew Hodson
Dec 11, 2025, 3:21:00 PMDec 11
to dev-pl...@mozilla.org, egu...@mozilla.com
On Tuesday, December 9, 2025 at 12:20:44 p.m. UTC-5 egu...@mozilla.com wrote:
https://w3c.github.io/trusted-types doesn't work for me. Is it expected that the content for it is up yet?
Reply all
Reply to author
Forward
0 new messages