Asynchronous createHTML/createScript/createScriptURL

[fred-wang]

Testcase:

<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
<div id="div"></div>
<script>
  trustedTypes.createPolicy("default", {
    createHTML: async s => s,
  });
  div.innerHTML = "Hello World!"
</script>

This sets the div's inner HTML to [object Promise] in all browsers, which at first was kinda unexpected to me.

Technically, an async function is equivalent to returning a Promise object, and it's unclear whether "stringifying" in "Process value with a default policy" is supposed to resolve that promise. So that's a special case of #541

cc @lukewarlow

[lukewarlow]

I think that or throwing is about the only reasonable outcome there.

[annevk]

This behavior seems kinda expected and probably not different from any other place that takes a callback. Being strict about the return type, but only for certain types, seems weird.