Contact emailsvogelh...@chromium.org Specificationhttps://html.spec.whatwg.org/#:~:text=Trusted%20Types
Summary Trusted Types was implemented and launched in Chromium in 2019, and has since found use in numerous websites. It has recently gained interest from other browser vendors. The Trusted Type spec was co-written as a "monkey patch" spec along with our original implementation. It now receives fresh attention as others are trying to implement the same spec, and we are trying to integrate the spec into HTML. As part of that process various inconsistencies are being identified and fixed. Some of these fixes may be developer observable. This intent is to update our implementation to match the spec, as it's upstreamed into HTML. Blink componentBlink>SecurityFeature>TrustedTypes <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ETrustedTypes> Motivation The Trusted Types spec is being upstreamed into HTML. Our implementation should follow the updated spec to ensure cross-browser compatibility. Spec: - https://w3c.github.io/trusted-types/dist/spec/ - PRs against HTML: https://github.com/whatwg/html/pulls?q=is%3Apr+%22Trusted+Types%22+author%3Alukewarlow+ - The TT-related changes to HTML are not confined to a single section, so the spec link above is a little arbitrary. Risks Interoperability and Compatibility The goal is to achieve full cross-browser interoperability. Some changes may affect backwards compatibility with our current implementation. For example, the change https://github.com/w3c/trusted-types/pull/498 is chiefly about the spec mechanism, but may change _when_ the Trusted Types checks are run. This could be developer observable, e.g. when a method has multiple reasons to throw an error then the order of checks defines which exception is thrown. *Gecko*: Positive (https://github.com/mozilla/standards-positions/issues/20) *WebKit*: No signal ( https://github.com/WebKit/standards-positions/issues/186) Implementation work seems to be ongoing: https://github.com/WebKit/WebKit/pulls?q=is%3Apr+%22trusted+types%22 *Web developers*: Positive *Other signals*: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes https://wpt.fyi/results/trusted-types/ Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5163792014245888 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPMLJR2%3DBqAugsavCtqSR0Z_CQOgWHjeiyzpU0crTphANQ%40mail.gmail.com.
