Use console's debug() to log navigation sinks
Opened this issue · 0 comments
filedescriptor commented
Currently, Trusted Types only covers location = 'javascript:' + user_input
but not location = user_input
and other similar things that trigger navigation. I believe they are common sinks so we don't want to miss them.
It is not possible to hook into the assignment call either. location.__defineSetter__()
doesn't work because most properties are read-only. However, it is possible to use the debug()
function from DevTools' console (monitor()
doesn't work, sadly).
I will see if introducing this change would break anything.