Trusted Types - FF updates and missing entries in TT spec #25839
Conversation
github-actions
bot
added
data:api
| "status": { | ||
| "experimental": false, | ||
| "standard_track": true, | ||
| "deprecated": true |
There was a problem hiding this comment.
Note, this is set as not experimental and deprecated, because the parent is deprecated (and you can't have both set).
api/HTMLScriptElement.json
Outdated
| @@ -417,6 +417,53 @@ | |||
| } | |||
| } | |||
| }, | |||
| "innerText": { | |||
There was a problem hiding this comment.
So for this one (and textContent), the properties were around since forever, but inherited. Since this update only applies to the HTMLScriptElement I have added it here as though it were a new property.
Is this OK? I mean it looks like you can only access this from current version, which might be confusing to readers.
There was a problem hiding this comment.
I think this will be confusing, yes, because innerText is also defined and BCD-ified in the parent HTMLElement: https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement#browser_compatibility.
And the innerText page takes its BCD from there: https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText#browser_compatibility so this change won't even show up in that page.
Maybe instead of this, add a subfeature to HTMLElement.innerText, like: "Script elements can accept a TrustedScript"? Then it will show up as a subfeature in https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText#browser_compatibility .
There was a problem hiding this comment.
It depends on how important strict following of IDL is for BCD. I like the idea though - changed in df3f74f
| @@ -14,7 +14,14 @@ | |||
| "chrome_android": "mirror", | |||
| "edge": "mirror", | |||
| "firefox": { | |||
| "version_added": false, | |||
| "version_added": "135", | |||
There was a problem hiding this comment.
Not 100% sure when this became useful. The whole API was added behind pref in 125 and no implementation. I've put 135 because it does not harm and we're starting to get where tests can be useful.
api/Element.json
Outdated
| @@ -6263,6 +6263,53 @@ | |||
| "standard_track": true, | |||
| "deprecated": false | |||
| } | |||
| }, | |||
| "accepts_TrustedHtml": { | |||
There was a problem hiding this comment.
As for other cases, you can set the property with this, but if you were to get it back you'd get a string.
There was a problem hiding this comment.
Interesting, I wonder if there would be any desire to formalize BCD subfeatures for property getters and setters.
There was a problem hiding this comment.
That would be good. For now I have tried to be consistent.
api/Document.json
Outdated
| }, | ||
| "text_param_accepts_TrustedHTML": { | ||
| "__compat": { | ||
| "description": "`text` parameter accepts `TrustedHTML` type", |
There was a problem hiding this comment.
The page calls the parameter markup so this will be confusing. Also IDK if anyone cares but I think strictly, the parameter doesn't "accept" anything - it is the function that accepts things. The parameter just is something.
Since this method only accepts one parameter we might not have to name the parameter and say "Accepts a TrustedHTML instance" or something like that.
There was a problem hiding this comment.
Yes, changed to:
"accepts_TrustedHTML": {
"__compat": {
"description": "Accepts `TrustedHTML` instances",
This takes an arbitrary number of either/both strings or trusted HTML instances.
FYI I also changed this in my docs PR to text, but will revert, as markup is a better term.
api/Element.json
Outdated
| @@ -6263,6 +6263,53 @@ | |||
| "standard_track": true, | |||
| "deprecated": false | |||
| } | |||
| }, | |||
| "accepts_TrustedHtml": { | |||
There was a problem hiding this comment.
Interesting, I wonder if there would be any desire to formalize BCD subfeatures for property getters and setters.
api/HTMLScriptElement.json
Outdated
| @@ -417,6 +417,53 @@ | |||
| } | |||
| } | |||
| }, | |||
| "innerText": { | |||
There was a problem hiding this comment.
I think this will be confusing, yes, because innerText is also defined and BCD-ified in the parent HTMLElement: https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement#browser_compatibility.
And the innerText page takes its BCD from there: https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText#browser_compatibility so this change won't even show up in that page.
Maybe instead of this, add a subfeature to HTMLElement.innerText, like: "Script elements can accept a TrustedScript"? Then it will show up as a subfeature in https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText#browser_compatibility .
|
@wbamberg Thanks. Accepted all your suggestions - ready for another look |
api/Document.json
Outdated
| "mdn_url": "https://developer.mozilla.org/docs/Web/API/Document/writeln", | ||
| "spec_url": "https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#dom-document-writeln", |
api/Document.json
Outdated
| ], | ||
| "support": { | ||
| "chrome": { | ||
| "version_added": "83" |
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
| ], | ||
| "support": { | ||
| "chrome": { | ||
| "version_added": "83" |
There was a problem hiding this comment.
Keeping this as 83 - based on this test in browserstack passing in that version https://wpt.live/trusted-types/HTMLElement-generic.html
| ], | ||
| "support": { | ||
| "chrome": { | ||
| "version_added": "83" |
There was a problem hiding this comment.
Keeping as 83 - based on https://wpt.live/trusted-types/HTMLElement-generic.html
| ], | ||
| "support": { | ||
| "chrome": { | ||
| "version_added": "83" |
There was a problem hiding this comment.
Keeping as 83 based on TT being allowed in that version https://wpt.live/trusted-types/trusted-types-reporting-for-HTMLScriptElement.html (other tests fail, but not that one)
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
|
Thanks @caugner ! I've accepted your comments, and removed a few more cases of mdn URLs in the "accept" features (i.e. "dittos") |
FF has added more support for trusted types behind a flag. This adds those updates.
Also it adds some missing entries, primarily for the methods and properties that will now accept trusted types. Some of this is a bit weird so I've added comments inline explaining how/why I did stuff.
Document.write()andwriteln()accept {{domxref("TrustedHTML")}} objects as parameters, in addition to strings. https://bugzilla.mozilla.org/show_bug.cgi?id=1906301 - I tested version support for Chrome using https://wpt.live/trusted-types/Document-write.htmlHTMLScriptElement.text,innerText, andtextContentproperties now acceptTrustedScriptas a setter, whileHTMLScriptElement.srcacceptsTrustedScriptURLin https://bugzilla.mozilla.org/show_bug.cgi?id=1905706innerTextandtextContextwere formerly inherited from HTMLElement and Node respectively.setTimeoutandsetIntervaltaking a trustedtype - as a proxy for code in a script. But it isn't in the spec other than broadly referred to. I have added info though, because it is a compat issue - it should be listed in https://w3c.github.io/trusted-types/dist/spec/#dom-xss-injection-sinkstrustedTypes- you need to have that for anything to work. I have added this as though added in FF135. It might have appeared earlier, but not useful - I'm OK with it since all of that will change when this gets released.Element.innerHTMLand the shadow versions arent speced with alternative IDL saying it can take a trusted type, but there are examples which show that, and wpt tests, and they are mentioned in https://w3c.github.io/trusted-types/dist/spec/#dom-xss-injection-sinks - which I have used for the spec url.The spec mentions some other cases such as Element.outerHTML setters, and functions that create a new same-origin Document with caller-controlled markup like parseFromString(). Have not added that, because I haven't tested it.