Open Bug 1948227 Opened 6 months ago Updated 3 months ago

UI widgets broken by Trusted Types

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

People

(Reporter: tschuster, Unassigned)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

Similar to Picture-in-Picture being broken (bug 1947672), <input type=date> (the datetimebox) is also broken when enabling Trusted Types. I found this by searching for parseFromString, which finds other instances, which I haven't looked into in detail. However I imagine we could also have breakage caused by other methods, like e.g. setAttribute.

It's quite likely we actually need some general way for chrome / UI widget code to bypass Trusted Types enforcement. (I don't think we want to just exempt chrome code, because that would make it impossible to use TT for own frontend code in a sensible way)

Note that we perform implicit sanitizer calls deep inside the HTML fragment parsing algorithm, but only for SystemPrincipal code, which makes it a bit moot to require a Trusted Type in the first place.

Ideally, we should align what we do and what we expect across all privileged contexts (privileged-about, parent, system principal, etc.).

We should fix this, but setting a comparably low priority/severity, as TT is not entirely ready to ship yet. This bug should block shipping trusted types though.

Severity: N/A → S3
Priority: -- → P2
Depends on: 1957051

I am fixing <input type=date> in bug 1957051. We should use this bug for an audit of other widgets that could be affected.

Blocks: 1955251
Depends on: 1961770
Depends on: 1961772
Type: defect → task
Depends on: 1966710
You need to log in before you can comment on or make changes to this bug.