Chapter 1: implement Trusted Types support for `Element.insertAdjacentHTML` without default-policy support without reporting violations
Categories
(Core :: DOM: Security, task)
Tracking
()
People
(Reporter: mbrodesser, Assigned: mbrodesser)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 2 obsolete files)
https://html.spec.whatwg.org/#dom-parsing-and-serialization:dom-element-insertadjacenthtml
Here, TrustedHTML is used as a non-variadic argument. That's simpler than https://bugzilla.mozilla.org/show_bug.cgi?id=1906301.
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 1•1 year ago
|
||
Union types in WebIDL for variadic arguments require this
(https://firefox-source-docs.mozilla.org/dom/webIdlBindings/index.html#union-types).
If this results in an efficiency problem, one might try to change union
types to allow non-reference-counted members. For now, this was agreed
with peterv.
|
|
Assignee | |
Comment 2•1 year ago
|
||
Depends on D216169
|
|
Assignee | |
Comment 3•1 year ago
|
||
To be used in a following part.
If nsCSPDirective::AreTrustedTypesForSinkGroupRequired turns out to be
to ineffcient, release builds could simply return mDirective == REQUIRE_TRUSTED_TYPES_FOR_DIRECTIVE since there's currently only one
sink group ("script"). nsCSPParser adds the directive for
REQUIRE_TRUSTED_TYPES_FOR_DIRECTIVE only if that sink group is parsed
too.
Depends on D216169
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
||
Comment 5•1 year ago
|
||
| bugherder | ||
|
||
Comment 6•1 year ago
|
||
It would be nice to not land individual patches from a bug. There is a risk that one patch ends up to one release and some other patch to another and if there are then issues with the patch, backing out stuff gets a bit messy.
|
|
Assignee | |
Comment 7•1 year ago
|
||
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #6)
It would be nice to not land individual patches from a bug. There is a risk that one patch ends up to one release and some other patch to another and if there are then issues with the patch, backing out stuff gets a bit messy.
Agreed. The disadvantage of keeping patches unlanded is that they may bit-rot. I'll try to respect the soft-code-freezes (https://whattrainisitnow.com/calendar/) and move the remaining patches to a separate ticket if the affected releases differ.
|
|
Assignee | |
Comment 8•1 year ago
|
||
(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #7)
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #6)
It would be nice to not land individual patches from a bug. There is a risk that one patch ends up to one release and some other patch to another and if there are then issues with the patch, backing out stuff gets a bit messy.
Agreed. The disadvantage of keeping patches unlanded is that they may bit-rot. I'll try to respect the soft-code-freezes (https://whattrainisitnow.com/calendar/) and move the remaining patches to a separate ticket if the affected releases differ.
Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1909878 for Lando to check that.
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 9•1 year ago
|
||
Comment on attachment 9412281 [details]
Bug 1906650: part 2) Add nsCSPPolicy::AreTrustedTypesForSinkGroupRequired. r=tschuster
Revision D216304 was moved to bug 1913077. Setting attachment 9412281 [details] to obsolete.
|
|
||
Comment 10•1 year ago
|
||
Comment on attachment 9412042 [details]
Bug 1906650: part 3) Add TrustedHTML to Element.insertAdjacentHTML. r=smaug,peterv
Revision D216170 was moved to bug 1913077. Setting attachment 9412042 [details] to obsolete.
|
|
Assignee | |
Updated•1 year ago
|
Description
•