HTML timers as specced won't work #480
Comments
|
I think we can't use the String context attribute and have to take the TrustedScript directly and have to deal with this almost exactly like eval and Function? |
|
So I've checked Chrome and it works as I would expect, but it's not following the spec. Currently setTimeout as specced should go through all of https://w3c.github.io/trusted-types/dist/spec/#csp-eval but Chrome only uses step 10 onwards for the timers. Which solves the problem but I'm not sure it's easily speccable? Potentially we can check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As currently specced setTimeout and setInterval won't always work as expected. We used the String context attribute which works fine, but this means that a plain string is passed to HostEnsureCanCompileStrings which TT will reject (or pass into the default policy).
See https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-timer-functions
Also See https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#timer-initialisation-steps for full steps.
cc @koto @otherdaniel @mbrodesser-Igalia
The text was updated successfully, but these errors were encountered: