Stringification of TrustedHTML with null-data needs to be specified
#469
Comments
|
The policyValue may be null. |
|
Chrome stringifies |
mbrodesser-Igalia
changed the title
policyValue already is a stringpolicyValue=null/undefined is stringified
|
Why does IDL not take care of this? |
Please elaborate. |
|
If IDL expects a string any kind of other value will have been coerced by the time you get to specification algorithms. |
The callback defined at the IDL level allows to return |
|
Example: https://jsfiddle.net/hbp7mzov/. |
So IDL shouldn't take care of it? |
|
Yeah, I misunderstood. It seems this comes down to "stringifying" not being defined in step 3 of https://w3c.github.io/trusted-types/dist/spec/#create-a-trusted-type-algorithm. |
mbrodesser-Igalia
changed the title
policyValue=null/undefined is stringifiednull-data needs to be specified
|
Yes, stringification of https://www.w3.org/TR/trusted-types/#trustedhtml-stringification-behavior mentions the associated date value is returned. That seems acceptable, but there might be undesirable implications. This also affects @petervanderbeken: WDYT? CC @lukewarlow |
|
Firefox currently returns "<empty string>", one can check above example with Firefox Nightly and the pref "dom.security.trusted_types.enabled" set to true. In debug mode, an assertion is violated. |
https://w3c.github.io/trusted-types/dist/spec/#create-a-trusted-type-algorithm probably needs to handle
Note that the associated data value is a string, so it can't contain |
Given https://searchfox.org/mozilla-central/rev/a26e972e97fbec860400d80df625193f4c88d64e/testing/web-platform/tests/trusted-types/TrustedTypePolicy-createXXX.html#66, it's very likely what's desired for the spec too. |
|
What's the use-case for letting CC @koto, @lukewarlow |
The report-only mode with a default policy (https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr). |
|
It'd be clearer if |
|
It would be clearer but unfortunately that ship sailed about 4 years ago... |
|
I wonder if that ship really sailed. Currently, this is only shipped in one engine. CC @annevk |
|
That one engine gives you something like 75% market share though and it's a fairly core part of the API. Now it's possible that doesn't translate to much usage (ultimately we'd need usage stats from chrome). But it's ultimately not too hard to understand, implement and spec in its current form. And imo also not a particularly massive win given the effort to change. |
|
This is closed, but stringifying in step 3 of https://w3c.github.io/trusted-types/dist/spec/#create-a-trusted-type-algorithm is still not defined... |
|
I'll reopen it. The spec at least says something about the null value now but yeah we need to go through and deal with bits like this and others more thorughly. I've been focusing on the larger normative bits that have been missing, but this smaller editorial work is definitely still on our TODO list. |
https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-create-a-trusted-type
The text was updated successfully, but these errors were encountered: