Hi everybody, I'd like input on the Trusted Types API[0].
It is a set of APIs intended to protect against DOM-based XSS attacks. It changes various APIs to not accept arbitrary strings, for example `element.innerHTML` can only be assigned a `TrustedHTML` object. These are also policies controllable by Content-Security-Policy[1]. It has been implemented by Chromium 83+ (May 2020). There is a polyfill for everything else[2]. This would be a moderately large task that Igalia would consider starting in H2 if there is consensus on this. Thanks, Patrick [0] https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types#browser_compatibility [2] https://github.com/w3c/webappsec-trusted-types#polyfill _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev