Currently, Trusted Types only covers location = 'javascript:' + user_input but not location = user_input and other similar things that trigger navigation. I believe they are common sinks so we don't want to miss them.
It is not possible to hook into the assignment call either. location.__defineSetter__() doesn't work because most properties are read-only. However, it is possible to use the debug() function from DevTools' console (monitor() doesn't work, sadly).
I will see if introducing this change would break anything.
Currently, Trusted Types only covers
location = 'javascript:' + user_inputbut notlocation = user_inputand other similar things that trigger navigation. I believe they are common sinks so we don't want to miss them.It is not possible to hook into the assignment call either.
location.__defineSetter__()doesn't work because most properties are read-only. However, it is possible to use thedebug()function from DevTools' console (monitor()doesn't work, sadly).I will see if introducing this change would break anything.