FF145 Relnote: Trusted Types early beta #41518
Conversation
github-actions
bot
added
Content:WebAPI
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Preview URLs
Flaws (26)Note! 2 documents with no flaws that don't need to be listed. 🎉 URL:
URL:
URL:
External URLs (2)URL:
URL:
(comment last updated: 2025-10-31 05:53:22) |
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
05e5fd2 to
0b6363d
Compare
github-actions
bot
added
merge conflicts 🚧
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
0b6363d to
ddde1a0
Compare
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
ddde1a0 to
6637909
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. |
hamishwillee
force-pushed
the
ff145rel_tt_early_beta
branch
from
6637909 to
1578ce4
Compare
|
|
||
| ## Injection sink interfaces | ||
|
|
||
| This section provides an list of "direct" injection sink interfaces. |
There was a problem hiding this comment.
FYI this is an exhaustive list of direct injection sinks, taken from @fred-wang compiled list in w3c/trusted-types#494 (comment).
This is linked from the first mention of injection sinks and the release note.
| Note that there are cases where untrusted strings may be "indirectly injected", such as when an untrusted string is added as the child node of a script element, and then the element is added to the document. | ||
| These cases are evaluated the untrusted script is added to the document. |
There was a problem hiding this comment.
This follows on from discussion in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941#c6 and earlier in https://bugzilla.mozilla.org/show_bug.cgi?id=1928932#c22
There are cases where you can't know on assignment that an untrusted string will be used somewhere where it matters. For those cases the TT checks are run when (say) the script is injected.
This probably requires a section of its own with concrete example (see second link above).
For now, I am doing this. I hope to come back to this and expand this section, but perhaps not before the Firefox release.
| ### Trusted Types API | ||
|
|
||
| The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) provides mechanisms to ensure that functions that can potentially be used as vectors for XSS attacks are only able to be called with data that has been validated or sanitized. | ||
| The API has been implemented and is enabled in early beta releases ([Firefox bug 1992941](https://bugzil.la/1992941)). |
There was a problem hiding this comment.
| The API has been implemented and is enabled in early beta releases ([Firefox bug 1992941](https://bugzil.la/1992941)). | |
| The API is enabled in early beta releases ([Firefox bug 1992941](https://bugzil.la/1992941)). |
| - The {{domxref("Window.setInterval()")}} and {{domxref("Window.setTimeout()")}} methods can be called with a {{domxref("TrustedScript")}}. ([Firefox bug 1931290](https://bugzil.la/1931290)). | ||
| - The global [`trustedTypes`](/en-US/docs/Web/API/Window/trustedTypes) property is available for accessing the Trusted Types API. | ||
| - The properties {{domxref("Element.innerHTML")}} and {{domxref("ShadowRoot.innerHTML")}} can be called with [trusted types](/en-US/docs/Web/API/Trusted_Types_API). | ||
| - Addition of new interfaces {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}}, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. |
There was a problem hiding this comment.
| - Addition of new interfaces {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}}, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. | |
| - Addition of the {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}} interfaces and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}}. |
|
|
||
| - **Trusted Types API** for scripts (Nightly/Early Beta): `dom.security.trusted_types.enabled` | ||
|
|
||
| The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) is now fully implemented. ([Firefox bug 1976656](https://bugzil.la/1976656)). |
There was a problem hiding this comment.
| The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) is now fully implemented. ([Firefox bug 1976656](https://bugzil.la/1976656)). | |
| The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) is now enabled in early beta releases. ([Firefox bug 1976656](https://bugzil.la/1976656)). |
| The [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) is now fully implemented. ([Firefox bug 1976656](https://bugzil.la/1976656)). | ||
|
|
||
| The changes include: | ||
| - Addition of new interfaces {{domxref("TrustedTypePolicyFactory")}}, {{domxref("TrustedTypePolicy")}}, {{domxref("TrustedHTML")}}, {{domxref("TrustedScript")}}, {{domxref("TrustedScriptURL")}}, and the `trustedTypes` property on {{domxref("Window/trustedTypes", "Window")}} and {{domxref("WorkerGlobalScope/trustedTypes", "WorkerGlobalScope")}} |
There was a problem hiding this comment.
Same suggestions as above if you like them.
| The `unsafe-eval` keyword can be used to override this behavior, and as with `unsafe-inline`, and for the same reasons: **developers should avoid `unsafe-eval`**. | ||
|
|
||
| Sometimes it can be difficult to remove usages of `eval()` and the other methods: in these situations, the [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API) can make it safer, by ensuring that the input meets a defined policy. | ||
| The `trusted-types-eval` keyword should be used to override the behavior in this case! |
There was a problem hiding this comment.
| The `trusted-types-eval` keyword should be used to override the behavior in this case! | |
| The `trusted-types-eval` keyword should be used to override the behavior in this case. |
There was a problem hiding this comment.
Or we could drop this para in a note block if you think we should highlight it?
It's great to see the list of sinks. We talked about this back in #37917 (comment). Personally I would probably have had it as an H3 at the end of "Concepts and usage", just because I feel like everything after that point is kind of formal ("items defined in this specification") and it's more helpful to characterize it as a list of injection sinks (which you have done, but that doesn't fit this formal structure). What I mean by formal is really, the same format for every API overview page (and theoretically possible to generate from the IDL). This is generally two things:
Technically the list of injection sinks is "additions to other interfaces" of course. But it's much more helpful to frame them as a list of injection sinks. But that's not a formal description available in API overview pages. Anyway, that's my thinking. But it's much better to have the list than not, and I could appreciate that my complaint here is pretty niche, so I won't argue with what you have here. |
3 participants
FF145 supports Trusted Types in early beta in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941
This adds a release note, experimental feature, and updates the API overview page.
This is a minimal update to provide a coherent story, with links to most affected interfaces. There are still quite a few interfaces that actually need updates but they will come in follow on PRs.
Related work can be tracked in #41507