[dev-platform] Intent to ship: Trusted Types

Tue, 09 Dec 2025 02:42:59 -0800

As of Firefox 148, I intend to turn Trusted Types on by default on all platforms. It has been developed behind the dom.security.trusted_types.enabled preference. Status in other browsers is shipped since Chromium 83 (but see some notes below) and Safari 26.
Bug to turn on by default: https://bugzilla.mozilla.org/show_bug.cgi?id=1994690 


Standards:  https://w3c.github.io/trusted-types/, 
https://w3c.github.io/webappsec-csp/ https://html.spec.whatwg.org/, 
https://dom.spec.whatwg.org/ and https://tc39.es/ecma262/



This feature was previously discussed in this "Intent to prototype" 
thread: 
https://groups.google.com/a/mozilla.org/g/dev-platform/c/zQaRDA68e5A/m/XX_CRC4mAQAJ



Since then, there has been some adjustments in the spec (bug 1997521) 
and WPT tests, but we still have the best score of all browsers 
(https://wpt.fyi/results/trusted-types?label=experimental&label=master&aligned).



The TrustedTypes spec had diverged a lot from Chromium's initial 
implementation. Chromium's WPT score was much lower than WebKit/Firefox, 
causing interop concerns. However per 
https://groups.google.com/a/chromium.org/g/blink-dev/c/OjQXhCZiXe0/m/VW2bMfeoCgAJ 
; they plan to ship it in Chromium 145 (Feb 10). So if their plan goes 
as expected, that would be before Firefox 148 (Feb 24).



Since we enabled TrustedTypes in Firefox Nightly, there was only one 
serious regression reported (involving an already known TODO) and it has 
finally been fixed now. For more details, see bug 1997818 and bug 2001929.



Initially, we intended to go through Origin Trials for Trusted Types 
(bug 1991658) but due to some technical limitations with our Origin 
Trials implementation (bug 1757935) we decided to skip that. Instead, we 
relied on the fact that no TT serious issues were reported to us 
(Igalia) regarding:



1) TrustedTypes enabled in Firefox early beta ( 
https://bugzilla.mozilla.org/show_bug.cgi?id=1992941 )



2) TrustedTypes enabled in Safari 26, which had similar alignment with 
the latest TrustedTypes spec.


3) Google experimenting their products with Firefox + TrustedTypes enabled.


That gives us more confidence to go ahead with shipping TrustedTypes in 
Firefox.


--
You received this message because you are subscribed to the Google Groups 
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/a3413941-75fd-402c-a6e1-c74e728ff914%40igalia.com.






















					Reply via email to