You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As currently specced setTimeout and setInterval won't always work as expected. We used the String context attribute which works fine, but this means that a plain string is passed to HostEnsureCanCompileStrings which TT will reject (or pass into the default policy).
I think we can't use the String context attribute and have to take the TrustedScript directly and have to deal with this almost exactly like eval and Function?
So I've checked Chrome and it works as I would expect, but it's not following the spec. Currently setTimeout as specced should go through all of https://w3c.github.io/trusted-types/dist/spec/#csp-eval but Chrome only uses step 10 onwards for the timers. Which solves the problem but I'm not sure it's easily speccable?
Potentially we can check compilationSink and if it's timer we can just skip those steps (as the StringContext attribute will already account for it?)
As currently specced setTimeout and setInterval won't always work as expected. We used the String context attribute which works fine, but this means that a plain string is passed to HostEnsureCanCompileStrings which TT will reject (or pass into the default policy).
See https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-timer-functions
Also See https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#timer-initialisation-steps for full steps.
cc @koto @otherdaniel @mbrodesser-Igalia
The text was updated successfully, but these errors were encountered: