UI widgets broken by Trusted Types
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: tschuster, Unassigned)
References
(Blocks 1 open bug)
Details
Similar to Picture-in-Picture being broken (bug 1947672), <input type=date> (the datetimebox) is also broken when enabling Trusted Types. I found this by searching for parseFromString, which finds other instances, which I haven't looked into in detail. However I imagine we could also have breakage caused by other methods, like e.g. setAttribute.
It's quite likely we actually need some general way for chrome / UI widget code to bypass Trusted Types enforcement. (I don't think we want to just exempt chrome code, because that would make it impossible to use TT for own frontend code in a sensible way)
|
||
Comment 1•10 days ago
|
||
Note that we perform implicit sanitizer calls deep inside the HTML fragment parsing algorithm, but only for SystemPrincipal code, which makes it a bit moot to require a Trusted Type in the first place.
Ideally, we should align what we do and what we expect across all privileged contexts (privileged-about, parent, system principal, etc.).
|
|
||
Comment 2•5 days ago
|
||
We should fix this, but setting a comparably low priority/severity, as TT is not entirely ready to ship yet. This bug should block shipping trusted types though.
Description
•