-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spec / implementation mismatch with document.write/writeln #510
Comments
I propose an IDL of This is observably the same as Chrome's implementation in that the default policy is called on the final string (whereas the current spec would call it on each string param), the difference is that you can pass multiple TrustedHTML params, this keeps it consistent with Function constructor, and also makes for a simpler implementation as there's no method variants. Of course the alternative is we just spec Chromium's behaviour. |
I guess you already have to be sure that repeated |
Also, given that the idea behind supporting |
If I recall correctly, the motivation was that we were trying to avoid any operations on "trusted" strings, either explicit or implicit, and that you shouldn't be able to construct an effectively-trusted strings out of trusted parts. E.g. if you have a trusted string that references a vairable "hello", and one that calls "world()", you still shouldn't be able to synthesize a trusted call to a different function "helloworld()" out of it (without going through the TrustedScript constructor again). I'm honestly not sure whether the same logic would strictly apply to The |
@otherdaniel thanks for the explanation that makes sense. One issue I have with that reasoning is that document write would allow you to do that regardless? You could half open a script Element in one call and carry it on in a follow up right? For something like document.write you inherently have to just assume the worst and reject anything that looks close to script execution OR assume a trusted input in which case the author doing something silly/malicious is out of scope for trusted types? Apologies if I've missed something obvious. |
I think you're right: For |
So just to check I'm understanding correctly the top one here should be fine. Is the bottom one acceptable to Chromium? I think we should keep these methods consistent with each other. Both would only call the default policy once on the constructed string (which matches Chromium and the Function constructor) If this is okay I'll make a PR to the html spec with the relevant changes and update WebKit's implementation to match. [CEReactions] undefined write((TrustedHTML or DOMString)... text);
[CEReactions] undefined writeln((TrustedHTML or DOMString)... text); |
I've opened whatwg/html#10328 to update the spec. |
Chromium implementation's IDL:
Spec IDL:
These IDL differences + an implementation detail about when to run the default policy lead to numerous differences between the spec (and WebKit's current implementation) and Chromium's implementation.
This issue is to discuss the path forwards here.
cc @otherdaniel @koto @annevk @mbrodesser-Igalia
The text was updated successfully, but these errors were encountered: