w3c/trusted-types
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
JavaScriptNOASSERTION
Issues
- 5
- 8
- 10
Should all 3 script IDL setters change the associated script text value identically
#517 opened by lukewarlow - 2
[Meta] Upstream changes
#476 opened by lukewarlow - 7
`execCommand` spec won't work
#500 opened by lukewarlow - 2
Add WPTs for CSP `sandbox allow-scripts` combined with Trusted Types
#513 opened by mbrodesser-Igalia - 0
Check variable naming inside of getAttributeType and getPropertyType methods
#496 opened by lukewarlow - 6
- 5
`createPolicy`'s permitted policy names are inconsistent with CSP's permitted policy names
#504 opened by mbrodesser-Igalia - 2
- 3
"Create a Trusted Type Policy" should specify the TypeError messages
#511 opened by mbrodesser-Igalia - 0
New `script text` associated data and associated mechanisms need adding to SVGScriptElement
#483 opened by lukewarlow - 12
"Validate the string in context" takes any value and calls "Get Trusted Type compliant string" which requires a TrustedType or a string
#488 opened by mbrodesser-Igalia - 0
"Should Trusted Type policy creation be blocked by Content Security Policy?" passes "directive" instead of directive's name to "Create a violation object for global, policy, and directive"
#509 opened by mbrodesser-Igalia - 2
Script element protection model
#507 opened by lukewarlow - 1
Get trusted type compliant attribute value sink
#492 opened by lukewarlow - 1
Integration with DOM APIs
#438 opened by lukewarlow - 1
faq.md outdated
#505 opened by lukewarlow - 5
CSP sample for eval and Function
#491 opened by lukewarlow - 1
Event handler enforcement section wrong
#474 opened by lukewarlow - 1
Improve test coverage of sink values
#494 opened by lukewarlow - 4
Function constructor and default policy
#458 opened by lukewarlow - 2
HTML timers as specced won't work
#480 opened by lukewarlow - 1
- 1
Callback IDL types
#482 opened by lukewarlow - 14
Can we drop the default policy value changing from Eval, new Function() (and other usages of the dynamic code brand checks proposal)?
#461 opened by lukewarlow - 6
Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive
#466 opened by mbrodesser-Igalia - 5
- 4
https://w3c.github.io/trusted-types/dist/spec/#webidl-validate-the-string-in-context should link to the HTML standard's definition of how the validation is performed
#454 opened by mbrodesser-Igalia - 2
Developer-centric research results about Trusted Types
#471 opened by rothsn - 1
Why is "callback **this** value set to null" required in step 5 of "Get Trusted Type policy value"?
#468 opened by mbrodesser-Igalia - 3
- 0
Adopt Infra syntax throughout
#472 opened by annevk - 2
- 9
Section 3.2. "Create a Trusted Type" should specify how a `policyValue=null/undefined` is stringified
#469 opened by mbrodesser-Igalia - 6
Trusted Types closure to replace fallback policy
#462 opened by lukewarlow - 2
<Element-setAttributeNS.html> contains commented out test and seems to duplicate other tests
#447 opened by mbrodesser-Igalia - 2
- 13
Issue with script enforcement
#437 opened by lukewarlow - 8
Integration with Shadow Realms?
#442 opened by lukewarlow - 0
`getPropertyType()` needs a rewrite?
#456 opened by lukewarlow - 1
Consider deleting the master branch as it's superseded by the main branch
#452 opened by mbrodesser-Igalia - 0
- 2
Add test to <block-string-assignment-to-Element-setAttribute.html> which checks trusted types can be assigned to non-injection sinks
#449 opened by mbrodesser-Igalia - 0
- 0
Should the polyfill be moved?
#444 opened by lukewarlow - 0
Integration with DOM Parts API
#441 opened by lukewarlow - 0
- 4
- 3
Should the "default" policy be called when `setAttributeNode` is called with a node from the same realm?
#434 opened by mbrodesser-Igalia