Oh, I should also add that I reviewed the TAG design review <https://github.com/w3ctag/design-reviews/issues/198> of trusted types. It sounds like TAG was only able to provide feedback on the high-level design, not API-by-API detail, so I suspect TAG wouldn't find value in spending time on this one minor addition. Others may disagree though.
Rick On Tue, Oct 4, 2022 at 11:39 AM Rick Byers <rby...@chromium.org> wrote: > This seems like a pretty minor and uncontroversial extension to trusted > types to me. But it also seems like a good time to just check-in on the > state of discussion around TrustedTypes with other vendors. > > I see Mozilla has a "neutral > <https://mozilla.github.io/standards-positions/#trusted-types>" status > saying they're not sure about utility. Is this UseCounter > <https://chromestatus.com/metrics/feature/timeline/popularity/3160> accurate > in saying that in Chrome >10% of page loads are on pages which have > explicitly enabled the enforcement of trusted types? I don't think it needs > to block this intent, but could you update the Mozilla standards position > with current evidence we have on the value TrustedTypes is providing some > major partners who have opted in? If it's accurate, the high usage alone > seems to counter the "lack of utility" argument to me, but perhaps we can > do even better now? Eg. are there any anecdotes of security issues being > caught as a result? Are we aware of any cases where users were exposed to > attack in browsers using other engines but protected on Chromium? > > It looks like nobody ever replied to the request for position from WebKit > <https://www.mail-archive.com/webkit-dev@lists.webkit.org/msg30438.html>. > Maybe worth filing a request in their new tracker > <https://github.com/WebKit/standards-positions> so we have a better > record of it? > > Also, can you please share the wpt.fyi link for the tests for this feature? > > Thanks, > Rick > > On Mon, Oct 3, 2022 at 9:02 PM Domenic Denicola <dome...@chromium.org> > wrote: > >> You can import and rename at the same time using standard JavaScript >> syntax: >> >> const htmlLiteral = TrustedHTML.fromLiteral; >> >> htmlLiteral`...` >> >> On Mon, Oct 3, 2022 at 11:55 PM Jakub Vrána <ja...@vrana.cz> wrote: >> >>> From a practical standpoint, it would be better if the methods are named >>> e.g. htmlLiteral, scriptLiteral and scriptUrlLiteral. Having the same >>> methods in all three types makes it impossible to import just that method >>> (or then it's not descriptive and collides if you import more). >>> Writing TrustedScriptURL.fromLiteral`/` is quite mouthful. >>> >>> Dne čtvrtek 29. září 2022 v 18:46:07 UTC+2 uživatel Jun Kokatsu napsal: >>> >>>> This is awesome! Thank you for working on this Daniel! >>>> >>>> Jun >>>> >>>> On Thursday, September 29, 2022 at 7:34:16 AM UTC-7 Daniel Vogelheim >>>> wrote: >>>> >>>>> Contact emailsvoge...@chromium.org >>>>> >>>>> Specification >>>>> https://w3c.github.io/trusted-types/dist/spec/#trusted-html >>>>> >>>>> Summary >>>>> >>>>> Add a function to each "Trusted Type" to create an instance from a >>>>> JavaScript template literal (but not from a dynamically computed string). >>>>> This makes it easy to mark literals in the JavaScript source text as >>>>> "trusted". Example: >>>>> >>>>> const html = TrustedHTML.fromLiteral`<p>Literal Text</p>`; >>>>> >>>>> Blink componentBlink>SecurityFeature>TrustedTypes >>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ETrustedTypes> >>>>> >>>>> TAG reviewn/a >>>>> >>>>> TAG review statusNot applicable >>>>> >>>>> Risks >>>>> >>>>> Interoperability and Compatibility >>>>> >>>>> >>>>> *Gecko*: No signal. (Gecko has not implemented Trusted Types.) >>>>> >>>>> *WebKit*: No signal. (WebKit has not implemented Trusted Types.) >>>>> >>>>> *Web developers*: Positive ( >>>>> https://github.com/w3c/trusted-types/issues/347) >>>>> >>>>> *Other signals*: >>>>> >>>>> WebView application risks >>>>> >>>>> Does this intent deprecate or change behavior of existing APIs, such >>>>> that it has potentially high risk for Android WebView-based applications? >>>>> No. >>>>> >>>>> >>>>> >>>>> Debuggability >>>>> >>>>> It's a new method. Its use can be readily debugged in DevTools. >>>>> >>>>> >>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>> Mac, Linux, Chrome OS, Android, and Android WebView)?Yes >>>>> >>>>> Is this feature fully tested by web-platform-tests >>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>> ?Yes >>>>> >>>>> Flag nameTrustedTypesFromLiteral >>>>> >>>>> Requires code in //chrome?False >>>>> >>>>> Tracking bug >>>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1271149 >>>>> >>>>> Estimated milestones >>>>> >>>>> 108 >>>>> >>>>> >>>>> Anticipated spec changes >>>>> >>>>> Open questions about a feature may be a source of future web compat or >>>>> interop issues. Please list open issues (e.g. links to known github issues >>>>> in the project for the feature specification) whose resolution may >>>>> introduce web compat/interop risk (e.g., changing to naming or structure >>>>> of >>>>> the API in a non-backward-compatible way). >>>>> >>>>> >>>>> Link to entry on the Chrome Platform Status >>>>> https://chromestatus.com/feature/6551852775112704 >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+unsubscr...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/641cfa76-9c2d-4521-ad8a-1d61a272cca5n%40chromium.org >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/641cfa76-9c2d-4521-ad8a-1d61a272cca5n%40chromium.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_ZrvsEszkc8P0WVe%2BO_ffjQjjnBAssThM9OD1LL6ci8A%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra_ZrvsEszkc8P0WVe%2BO_ffjQjjnBAssThM9OD1LL6ci8A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY8h1XNGoC6mMzQ0NOiRNMcbb0cOs%2B_hpX%3DwB%3DPtvAtuoQ%40mail.gmail.com.
