Hola,
Igalia has been working on the implementation of Trusted Types for a
while, but it seems an intent to ship was never sent, so I just sent one.
While working on the implementation, we have made a big effort to
improve and extend test coverage. Currently, we are passing all the WPT
tests, except the ones for tentative features that are not part of the
spec: https://bugzilla.mozilla.org/show_bug.cgi?id=1939805#c7
Because Trusted Types require some extra checks in some APIs accepting
strings, there is a risk for performance regression in critical paths
(e.g. innerHTML setter). We have done our best to mitigate these issues
and at least speedometer looks good. Meta bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1936014
Trusted Types may potentially cause regression with Firefox's UA widgets
and web extensions content script, if they use any "powerful API" in a
page with Trusted Types enforcement enabled. We have detected some of
them and tried to address this issue by skipping Trusted Types checks in
these trusted places ; at this point it probably only remains edge
cases, but it's difficult to know exactly. Relevant bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1948227
https://bugzilla.mozilla.org/show_bug.cgi?id=1990732
Given the above points, the idea is to enable Trusted Types
incrementally and catch any potential regressions asap. As a first step,
we are tentatively enabling Trusted Types in nighly build today:
https://bugzilla.mozilla.org/show_bug.cgi?id=1955251
Frédéric Wang
Le 29/09/2025 à 11:21, Frédéric Wang a écrit :
Summary: An API that allows applications to lock down powerful APIs to
only accept non-spoofable, typed values in place of strings to prevent
vulnerabilities caused by using these APIs with attacker-controlled
inputs. Basic use case:
// CSP: require-trusted-types-for 'script'
const myTrustedTypesPolicy = trustedTypes.createPolicy("myPolicy", {
createScript: value => myJSSanitizer(value)
});
let script = document.createElement("script");
script.text = unsafeCode; // blocked by CSP.
let trustedScript = myTrustedTypesPolicy.createScript(unsafeCode); //
create a Trusted Type wrapping the string returned by
myJSSanitizer(unsafeCode).
script.text = trustedScript; // not blocked by CSP.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1508286,
https://bugzilla.mozilla.org/show_bug.cgi?id=1845360
Specification:
https://w3c.github.io/trusted-types/,
https://w3c.github.io/webappsec-csp/
https://html.spec.whatwg.org/, https://dom.spec.whatwg.org/
https://tc39.es/ecma262/
Standards Bodies: W3C, WhatWG, ECMA
Platform coverage: All platforms
Preference: dom.security.trusted_types.enabled
DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1935431
Link to standards-positions discussion:
https://github.com/mozilla/standards-positions/issues/20
Other browsers:
Blink: Shipped
WebKit: Shipped
web-platform-tests:
- trusted_types/
- script-src/script-src-trusted_types_*
- content-security-policy/reporting/report-clips-sample.https.html
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/a90ce4e8-d5cf-4561-91bc-0d49e4e35c7f%40igalia.com.
