Open tosmolka opened 3 years ago
gibson042
commented
3 years ago I am not comfortable with the size increase of this PR and don't know if it can come down enough to change that, although something like this could be attempted:
trustedTypesPolicy = {
createHTML: function( html ) {
return html;
}
};
try {
trustedTypesPolicy = window.trustedTypes.createPolicy( "sizzle" );
} catch ( e ) {}
mgol
commented
3 years ago Also, note that just defining a policy & using it still won't solve all the issues. You can declare in CSP that you not only want to enforce trusted types usage but only allow specific policy names. Such declarations would work with jQuery 4.x now but they'd fail with Sizzle with the current patch.
tosmolka
commented
2 years ago This PR is loosely related to https://github.com/jquery/sizzle/pull/472 where AdGuard team also proposed TT policy for sizzle.
mgol
commented
1 year ago @tosmolka To be honest, their approach of forking Sizzle makes sense for their use case. We're going to archive Sizzle soon and jQuery 3.7.0 & newer will have their own embedded selector engine based on Sizzle but cleaned up a lot.
The first jQuery version with Trusted Types support will be 4.0.0.
Create HTML from string via custom Trusted Types policy in browsers that support Trusted Types.
This PR fixes #478