Hi Daniel, et al.,
Unfortunately, I don't have a nice document with the changes. The WPT suite
is quite thorough, however, and can provide us with a canonical list of
observable differences: The TT-related test differences between our current
stable version without the flag (i.e., implementation of the old spec) vs
the current version with experimental flags enabled
<https://wpt.fyi/results/trusted-types?sha=80ed8d6999&label=master&max-count=1&product=chrome%5Bstable%5D&product=chrome%5Bexperimental%5D>
.
The changes are a fairly large grab bag of editorial changes and
clarifications, where the original spec -- written as a "monkey patch" for
HTML -- was incomplete or inconsistent. The intent of the changes was
always to keep the existing behaviour, but to fill in under-specified or
inconsistent bits. The "large" changes fall into three buckets:
- Error reports (via CSPViolationException or CSP error reporting)
contain the "sink name", usually the element + attribute name. These have
changed in quite a few cases.
- This
<https://wpt.fyi/results/trusted-types/set-attributes-require-trusted-types-default-policy.html?sha=80ed8d6999&label=master&max-count=1&product=chrome%5Bstable%5D&product=chrome%5Bexperimental%5D>
test
would be a good example. The original "sink names" we used were fairly
ad-hoc. E.g. when calling `setAttribute("onclick", ...)` we'd report
"Element setAttribute" as the sink. The current spec wants this to be
"Element onclick", which admittedly makes a lot more sense.
- The order of checks within a DOM method, i.e., when exactly the TT
check is run, has now been properly specified. This is oftentime observable
when you have competing error conditions.
- This CL
<https://chromium-review.googlesource.com/c/chromium/src/+/6243963>
would be a good example. Note that the implementation change only moved a
few lines of code around, but fixed a fairly large number of WPT tests in
the process.
- Trusted Types (when enabled) mostly just blocks invocation of some DOM
methods on some elements/attributes, but it also allows you to query on
which attributes it would do so. These "metadata" functions have been more
thoroughly specified, especially with respect to namespaces.
- These functions were originally somewhat underspecified. The
updated spec is a lot more clear, and our implementation adapts
to this. This
test
<https://wpt.fyi/results/trusted-types/TrustedTypePolicyFactory-getAttributeType.html?sha=80ed8d6999&label=master&max-count=1&product=chrome%5Bstable%5D&product=chrome%5Bexperimental%5D>
would be a good example.
The fact that Safari launched their version of TT
<https://webkit.org/blog/17333/webkit-features-in-safari-26-0/#web-api>
without much notice of these differences makes me quite confident that
websites aren't inadvertently relying on them.
All implementation changes are tracked in the tracking bug
<http://issues.chromium.org/issues/330516530>.
Daniel
On Fri, Dec 5, 2025 at 11:00 PM Daniel Bratell <[email protected]> wrote:
> Is there a diff-document or changelog or something else that can document
> what the actual change is? You say that "some [...] may be developer
> observable", and I guess it is those changes that matter here, but what are
> they?
>
> /Daniel
> On 2025-12-04 15:49, Chromestatus wrote:
>
> *Contact emails*
> [email protected]
>
> *Specification*
> https://html.spec.whatwg.org/#:~:text=Trusted%20Types
>
> *Summary*
> Trusted Types (
> https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API) was
> originally implemented and launched in Chromium in 2019, and has since
> found use in numerous websites. It has recently gained interest from other
> browser vendors. The Trusted Type spec was co-written as a "monkey patch"
> spec along with our original implementation. It now receives fresh
> attention as others are trying to implement the same spec. It has now been
> "upstreamed" into HTML + DOM (plus a bit of CSP). As part of that process,
> various inconsistencies are being identified and fixed. Some of these fixes
> may be developer observable. This intent is to update our implementation to
> match the spec, as it's upstreamed into HTML. Meanwhile, WebKit has
> launched their implementation of the updated Trusted Types spec, which
> gives us high confidence that this update is highly web compatible.
>
> *Blink component*
> Blink>SecurityFeature>TrustedTypes
> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%3ETrustedTypes%22>
>
> *Web Feature ID*
> trusted-types <https://webstatus.dev/features/trusted-types>
>
> *Motivation*
> The Trusted Types spec has been upstreamed into HTML, with some minor
> cleanups and changes. Our implementation should follow the updated spec to
> ensure cross-browser compatibility. Spec:
> https://w3c.github.io/trusted-types/dist/spec/ +
> https://html.spec.whatwg.org/
>
> *Initial public proposal*
> *No information provided*
>
> *TAG review*
> *No information provided*
>
> *TAG review status*
> Not applicable
>
> *Risks*
>
>
> *Interoperability and Compatibility*
> The goal is to achieve full cross-browser interoperability. Meanwhile,
> both WebKit and Firefox have enabled their version -- at least in testing
> builds -- without any major incompatibility reports. This makes us rather
> confident that the compability risk is low.
>
> *Gecko*: Positive (
> https://github.com/mozilla/standards-positions/issues/20) Firefox has
> enabled their version in Nightly:
> https://www.firefox.com/en-US/firefox/145.0a1/releasenotes/
>
> *WebKit*: Support (
> https://github.com/WebKit/standards-positions/issues/186) WebKit has
> launched their version:
> https://developer.apple.com/documentation/safari-release-notes/safari-26-release-notes#New-Features
>
> *Web developers*: Positive
>
> *Other signals*:
>
> *WebView application risks*
>
> Does this intent deprecate or change behavior of existing APIs, such that
> it has potentially high risk for Android WebView-based applications?
> *No information provided*
>
>
> *Debuggability*
> *No information provided*
>
> *Will this feature be supported on all six Blink platforms (Windows, Mac,
> Linux, ChromeOS, Android, and Android WebView)?*
> Yes
>
> *Is this feature fully tested by web-platform-tests
> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
> Yes
> https://wpt.fyi/results/trusted-types/
>
> *Flag name on about://flags*
> *No information provided*
>
> *Finch feature name*
> TrustedTypesHTML
>
> *Rollout plan*
> Will ship enabled for all users
>
> *Requires code in //chrome?*
> False
>
> *Tracking bug*
> https://issues.chromium.org/u/1/issues/330516530
>
> *Estimated milestones*
> Shipping on desktop 145
> Shipping on desktop 145
> Shipping on Android 145
> Shipping on Android 145
> Shipping on WebView 145
> Shipping on WebView 145
>
> *Anticipated spec changes*
>
> Open questions about a feature may be a source of future web compat or
> interop issues. Please list open issues (e.g. links to known github issues
> in the project for the feature specification) whose resolution may
> introduce web compat/interop risk (e.g., changing to naming or structure of
> the API in a non-backward-compatible way).
> All anticipated spec changes have landed in HTML, DOM, and CSP specs.
>
> *Link to entry on the Chrome Platform Status*
> https://chromestatus.com/feature/5163792014245888?gate=5109165432504320
>
> *Links to previous Intent discussions*
> Intent to Prototype:
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMLJR2%3DBqAugsavCtqSR0Z_CQOgWHjeiyzpU0crTphANQ%40mail.gmail.com
>
>
> This intent message was generated by Chrome Platform Status
> <https://chromestatus.com>.
> --
> You received this message because you are subscribed to the Google Groups
> "blink-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion visit
> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69319f7c.050a0220.107b62.1926.GAE%40google.com
> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69319f7c.050a0220.107b62.1926.GAE%40google.com?utm_medium=email&utm_source=footer>
> .
>
>
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMPAb%2BcnJopjC10k_%2B%3DrUdC6PwHtFdOHDvuvJgKDc7RYQ%40mail.gmail.com.
