FF145 Relnote: Trusted Types early beta #41518
Conversation
github-actions
bot
added
Content:WebAPI
|
Preview URLs
Flaws (24)Note! 2 documents with no flaws that don't need to be listed. 🎉 URL:
URL:
URL:
External URLs (2)URL:
URL:
(comment last updated: 2025-11-02 23:01:20) |
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
05e5fd2 to
0b6363d
Compare
github-actions
bot
added
merge conflicts 🚧
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
0b6363d to
ddde1a0
Compare
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
ddde1a0 to
6637909
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
6637909 to
1578ce4
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| ## Injection sink interfaces | ||
|
|
||
| This section provides an list of "direct" injection sink interfaces. |
There was a problem hiding this comment.
FYI this is an exhaustive list of direct injection sinks, taken from @fred-wang compiled list in w3c/trusted-types#494 (comment).
This is linked from the first mention of injection sinks and the release note.
| Note that there are cases where untrusted strings may be "indirectly injected", such as when an untrusted string is added as the child node of a script element, and then the element is added to the document. | ||
| These cases are evaluated the untrusted script is added to the document. |
There was a problem hiding this comment.
This follows on from discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941#c6 and earlier in https://bugzilla.mozilla.org/show_bug.cgi?id=1928932#c22
There are cases where you can't know on assignment that an untrusted string will be used somewhere where it matters. For those cases the TT checks are run when (say) the script is injected.
This probably requires a section of its own with concrete example (see second link above).
For now, I am doing this. I hope to come back to this and expand this section, but perhaps not before the Firefox release.
bsmth
left a comment
bsmth
left a comment
There was a problem hiding this comment.
Nice, a couple of suggestions for you, but ready to go when you've had a look 👀
It's great to see the list of sinks. We talked about this back in #37917 (comment). Personally I would probably have had it as an H3 at the end of "Concepts and usage", just because I feel like everything after that point is kind of formal ("items defined in this specification") and it's more helpful to characterize it as a list of injection sinks (which you have done, but that doesn't fit this formal structure). What I mean by formal is really, the same format for every API overview page (and theoretically possible to generate from the IDL). This is generally two things:
Technically the list of injection sinks is "additions to other interfaces" of course. But it's much more helpful to frame them as a list of injection sinks. But that's not a formal description available in API overview pages. Anyway, that's my thinking. But it's much better to have the list than not, and I could appreciate that my complaint here is pretty niche, so I won't argue with what you have here. |
Co-authored-by: Brian Smith <[email protected]>
| The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) is now enabled in early beta releases. ([Firefox bug 1976656](https://bugzil.la/1976656)). | ||
|
|
||
| The changes include: | ||
| - Addition of the {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}} interfaces, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. |
There was a problem hiding this comment.
[mdn-linter] reported by reviewdog 🐶
| - Addition of the {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}} interfaces, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. | |
| - Addition of the {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}} interfaces, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. |
I'd tried several places; everywhere is a compromise - my decision to put it where it was was more about making it a level 2 heading because I wanted it in the TOC for the usual reasons. Thanks very much to both of you for the reviews. |
Yes, I wish the broken ToC didn't force us into choosing between proper structure and navigability :(. |
3 participants
FF145 supports Trusted Types in early beta in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941
This adds a release note, experimental feature, and updates the API overview page.
This is a minimal update to provide a coherent story, with links to most affected interfaces. There are still quite a few interfaces that actually need updates but they will come in follow on PRs.
Related work can be tracked in #41507