-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we add no-op/report? #421
Comments
Enforcing Trusted Types is done through Content Security Policy, and CSP supports a report-only mode which sounds like exactly something you suggest is needed. Trusted Types rollouts on existing applications (example) were using report-only mode extensively. You can also see report-only TT being used currently on many sites via Chrome's telemetry. https://web.dev/articles/trusted-types#how_to_use_trusted_types describes the usual rollout process. Is there anything in the API that you don't feel enables this safe, report-only/no-op rollout? |
what Brian means is that the default policy assignment could be a no-op. So the sinks still don't work and report but they don't throw. Currently this isn't possible. Would be special like returning null but instead it would be something to say it should no-op rather than throw. |
There isn't a no-op though, right? report-only is only report, right? It's not enforced, it lets the damage happen and only reports it. I would like to make it possible to be enforced, but the enforcement is just "return" in the setter, so it cannot impact the page. |
There is no "no-op" for |
Wouldn't the no-op version of TrustedTypes be: const noOpTtPolicy = trustedTypes.createPolicy("noOp", {
createHTML: (htmlString) => {
return htmlString;
},
createScriptURL: (scriptUrlString) => {
return scriptUrlString;
}
}); CSP tells you where this isn't being used, and if you want you can put your own logging inside the policy methods? |
No. What's asked for in this issue is preventing
|
@shhnjk: given your experience of deploying TT (#398 (comment)), what's your take on the necessity for a no-op mode? |
It seems to me that for trusted types to be really successful at what they are aiming to do, they need very large scale adoption and there's a bit here that feels to me less than ideal for achieving that. Mainly, if I set this up today, I think I have a few choices: I can let the bad thing happen and report only, or I can make it throw or return ''. In either of the latter cases I'm still letting something unknown and at least potentially bad happen on my site. Who knows what throwing would interrupt, for example (especially because many of these sinks didn't previously throw, so we don't even reason about that).
It really feels to me that what I, as a page author/website maintainer would prefer is an option to no-op and report.
Since this is all RHS appearing that feels impossible because you don't have context, but... If you think of sinks assigning as setters, this seems possible.
The text was updated successfully, but these errors were encountered: