This seems like a pretty minor and uncontroversial extension to trusted types to me. But it also seems like a good time to just check-in on the state of discussion around TrustedTypes with other vendors.
I see Mozilla has a "neutral <https://mozilla.github.io/standards-positions/#trusted-types>" status saying they're not sure about utility. Is this UseCounter <https://chromestatus.com/metrics/feature/timeline/popularity/3160> accurate in saying that in Chrome >10% of page loads are on pages which have explicitly enabled the enforcement of trusted types? I don't think it needs to block this intent, but could you update the Mozilla standards position with current evidence we have on the value TrustedTypes is providing some major partners who have opted in? If it's accurate, the high usage alone seems to counter the "lack of utility" argument to me, but perhaps we can do even better now? Eg. are there any anecdotes of security issues being caught as a result? Are we aware of any cases where users were exposed to attack in browsers using other engines but protected on Chromium? It looks like nobody ever replied to the request for position from WebKit <https://www.mail-archive.com/webkit-dev@lists.webkit.org/msg30438.html>. Maybe worth filing a request in their new tracker <https://github.com/WebKit/standards-positions> so we have a better record of it? Also, can you please share the wpt.fyi link for the tests for this feature? Thanks, Rick On Mon, Oct 3, 2022 at 9:02 PM Domenic Denicola <dome...@chromium.org> wrote: > You can import and rename at the same time using standard JavaScript > syntax: > > const htmlLiteral = TrustedHTML.fromLiteral; > > htmlLiteral`...` > > On Mon, Oct 3, 2022 at 11:55 PM Jakub Vrána <ja...@vrana.cz> wrote: > >> From a practical standpoint, it would be better if the methods are named >> e.g. htmlLiteral, scriptLiteral and scriptUrlLiteral. Having the same >> methods in all three types makes it impossible to import just that method >> (or then it's not descriptive and collides if you import more). >> Writing TrustedScriptURL.fromLiteral`/` is quite mouthful. >> >> Dne čtvrtek 29. září 2022 v 18:46:07 UTC+2 uživatel Jun Kokatsu napsal: >> >>> This is awesome! Thank you for working on this Daniel! >>> >>> Jun >>> >>> On Thursday, September 29, 2022 at 7:34:16 AM UTC-7 Daniel Vogelheim >>> wrote: >>> >>>> Contact emailsvoge...@chromium.org >>>> >>>> Specification >>>> https://w3c.github.io/trusted-types/dist/spec/#trusted-html >>>> >>>> Summary >>>> >>>> Add a function to each "Trusted Type" to create an instance from a >>>> JavaScript template literal (but not from a dynamically computed string). >>>> This makes it easy to mark literals in the JavaScript source text as >>>> "trusted". Example: >>>> >>>> const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`; >>>> >>>> Blink componentBlink>SecurityFeature>TrustedTypes >>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ETrustedTypes> >>>> >>>> TAG reviewn/a >>>> >>>> TAG review statusNot applicable >>>> >>>> Risks >>>> >>>> Interoperability and Compatibility >>>> >>>> >>>> *Gecko*: No signal. (Gecko has not implemented Trusted Types.) >>>> >>>> *WebKit*: No signal. (WebKit has not implemented Trusted Types.) >>>> >>>> *Web developers*: Positive ( >>>> https://github.com/w3c/trusted-types/issues/347) >>>> >>>> *Other signals*: >>>> >>>> WebView application risks >>>> >>>> Does this intent deprecate or change behavior of existing APIs, such >>>> that it has potentially high risk for Android WebView-based applications? >>>> No. >>>> >>>> >>>> >>>> Debuggability >>>> >>>> It's a new method. Its use can be readily debugged in DevTools. >>>> >>>> >>>> Will this feature be supported on all six Blink platforms (Windows, >>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>> >>>> Is this feature fully tested by web-platform-tests >>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>> ?Yes >>>> >>>> Flag nameTrustedTypesFromLiteral >>>> >>>> Requires code in //chrome?False >>>> >>>> Tracking bug >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1271149 >>>> >>>> Estimated milestones >>>> >>>> 108 >>>> >>>> >>>> Anticipated spec changes >>>> >>>> Open questions about a feature may be a source of future web compat or >>>> interop issues. Please list open issues (e.g. links to known github issues >>>> in the project for the feature specification) whose resolution may >>>> introduce web compat/interop risk (e.g., changing to naming or structure of >>>> the API in a non-backward-compatible way). >>>> >>>> >>>> Link to entry on the Chrome Platform Status >>>> https://chromestatus.com/feature/6551852775112704 >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/641cfa76-9c2d-4521-ad8a-1d61a272cca5n%40chromium.org >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/641cfa76-9c2d-4521-ad8a-1d61a272cca5n%40chromium.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_ZrvsEszkc8P0WVe%2BO_ffjQjjnBAssThM9OD1LL6ci8A%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_ZrvsEszkc8P0WVe%2BO_ffjQjjnBAssThM9OD1LL6ci8A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8GRmghRkAbxezC1PvP%3Da7z6qu%3D-LMTRRN5Jm1V_gkoTA%40mail.gmail.com.
