Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mismatch between spec IDL and Chromium implementation for TrustedTypePolicyOptions #388

Closed
lukewarlow opened this issue Jan 11, 2024 · 2 comments
Closed

Mismatch between spec IDL and Chromium implementation for TrustedTypePolicyOptions #388

lukewarlow opened this issue Jan 11, 2024 · 2 comments

Comments

@lukewarlow
Copy link
Member

See https://w3c.github.io/trusted-types/dist/spec/#trusted-type-policy-options

dictionary TrustedTypePolicyOptions {
   CreateHTMLCallback? createHTML;
   CreateScriptCallback? createScript;
   CreateScriptURLCallback? createScriptURL;
};

callback CreateHTMLCallback = DOMString (DOMString input, any... args);
callback CreateScriptCallback = DOMString (DOMString input, any... args);
callback CreateScriptURLCallback = USVString (DOMString input, any... args);

Whereas in Chrome it's:

dictionary TrustedTypePolicyOptions {
   CreateHTMLCallback createHTML;
   CreateScriptCallback createScript;
   CreateURLCallback createScriptURL;
};

callback CreateHTMLCallback = DOMString? (DOMString input, any... args);
callback CreateScriptCallback = DOMString? (DOMString input, any... args);
callback CreateURLCallback = USVString? (DOMString input, any... args);

Aside from Chrome naming it URLCallback rather than ScriptURLCallback the nullability of the return type and options params are different.

Is the spec correct or is chrome correct in terms of what's expected?
@lukewarlow lukewarlow mentioned this issue Jan 11, 2024
Merged
@lukewarlow
Copy link
Member Author

After #389 it's just the nullability inside the options dictionary that's different

@koto
Copy link
Member

koto commented Jan 12, 2024

Good catch. I merged #389, it should also be

dictionary TrustedTypePolicyOptions {
   CreateHTMLCallback createHTML;
   CreateScriptCallback createScript;
   CreateURLCallback createScriptURL;
};

in the spec, i.e. trustedTypes.createPolicy('a', {createHTML: null}) should throw.

koto added a commit to koto/trusted-types that referenced this issue Jan 12, 2024
@koto
Fix w3c#388.
52ddbc9
@koto koto closed this as completed in 9b81281 Jan 12, 2024
github-actions bot added a commit that referenced this issue Jan 12, 2024
@koto @github-actions
Fix #388. (#395)
87134ca 
SHA: 9b81281
Reason: push, by koto

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@koto @lukewarlow