Closed Bug 1994690 Opened 5 months ago Closed 4 months ago

Ship Trusted Types

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
148 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 148+
firefox148 --- fixed

People

(Reporter: tschuster, Assigned: fwang)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, webcompat:platform-bug)

User Story

user-impact-score:1200
platform-scheduled: 2025-02-24

Attachments

(1 file)

Bug 1994690 - Ship Trusted Types. r=smaug,tschuster
48 bytes, text/x-phabricator-request
Details | Review

Trusted Types is enabled in early beta and earlier only.

Keywords: dev-doc-needed
Blocks: 1991852
No longer depends on: 1991852
User Story: (updated)
Depends on: 1997850

The Trusted Type Spec has been evolved in a collaboration with Igalia and the Chrome team to bring some improvements. This will allow us to implement it with higher confidence and a mature spec that is already in process of being upstreamed to HTML/DOM properly

Given some potentially breaking changes in the Chrome implementations, we have discussed the timing of this shipping in Firefox with our friends in the web compat team. We have been advised to ship after Chrome's update in early 2026 such that any potential site breakage will not be "on us".

For further reference, we'll follow after https://chromestatus.com/feature/5163792014245888 is released.

User Story: (updated)

Chrome's intent to ship for the breaking changes is in discussion: https://groups.google.com/a/chromium.org/g/blink-dev/c/OjQXhCZiXe0/m/VW2bMfeoCgAJ

No longer depends on: 1997850
Assignee: nobody → fwang
Attachment #9531687 - Attachment description: WIP: Bug 1994690 - Ship Trusted Types. r=smaug,tschuster → Bug 1994690 - Ship Trusted Types. r=smaug,tschuster
Status: NEW → ASSIGNED

Is this shipping in release in FF 147? The data compatibility seems to indicate that it is https://github.com/mdn/browser-compat-data/pull/28624

Flags: needinfo?(fwang)
No longer blocks: 1991852
See Also: → 1991852

(In reply to Hamish Willee from comment #4)

Is this shipping in release in FF 147? The data compatibility seems to indicate that it is https://github.com/mdn/browser-compat-data/pull/28624

TT is enabled in nightly (1955251) and was enabled in "early beta" (bug 1992941). It is not enabled yet by default. This bug is about doing so, targeting Firefox 148 release. I'm not sure why the BCD PR said 147?

Flags: needinfo?(fwang)

https://hg.mozilla.org/mozilla-central/rev/a8570854b6f1

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox148: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 148 Branch

@fredw Thanks very much, and for your comment on the linked issue.

I've added a needinfo, but only to ensure you see this, not because I need anything.

Flags: needinfo?(fwang)

:fredw, could you consider nominating this for a release note? (Process info)
See https://bugzilla.mozilla.org/show_bug.cgi?id=1955251#c7 for wording used when this was enabled in Nightly

Release Note Request (optional, but appreciated)
[Why is this notable]: A huge new API.
[Affects Firefox for Android]: Yes
[Suggested wording]: The Trusted Types API, primarily aimed at preventing cross-site scripting attacks, is now supported.
[Links (documentation, blog post, etc)]: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API

relnote-firefox: --- → ?
Flags: needinfo?(fwang)

(In reply to Hamish Willee from comment #9)

I understand what people actually want is to have a runtime flag to disable "early beta or earlier" preferences in order to get the behavior of "beta or release". So really they want a switch that set all preferences to "beta or release" values. Since the default preference values are based on cpp defines (so set at compilation time) I don't think it's possible right now: https://searchfox.org/firefox-main/source/modules/libpref/init/StaticPrefList.yaml ; I did a quick search on Bugzilla and couldn't find anything related, so feel free to open a new bug for that.

Thanks, added to the Fx148 nightly release notes, please allow 30 minutes for the site to update.
Keeping the relnote-firefox flag as ? to keep it on the radar for inclusion in the final Fx148 release notes.

I filed https://bugzilla.mozilla.org/show_bug.cgi?id=2005763 to ask for a switch for "early beta or earlier".

QA Whiteboard: [qa-triage-done-c149/b148]

FF148 MDN release work for this can be tracked in https://github.com/mdn/content/issues/42748

This is mostly done, though I am hoping for feedback from FredW on https://github.com/mdn/content/pull/42638#discussion_r2674942952 - if that is answered I think I can finish this. (sorry for all the back and forth)

EDIT: Marked as dev-doc-complete. Still in final reviews, but thanks to update from Fred now have confidence it is correct.

Keywords: dev-doc-neededdev-doc-complete

Added to the final Fx148 release notes

relnote-firefox: ?148+
See Also: → 2019509
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: