Open nolanlawson opened 4 months ago
We set innerHTML here:
innerHTML
https://github.com/nolanlawson/emoji-picker-element/blob/ddb6aa3a9d9830b4b9b467c7219c04e8db1720c5/src/picker/components/Picker/utils.js#L15-L16
This string is inherently safe because it's authored in this codebase and does not include any user-supplied data. However, if a server has a Trusted Types CSP policy, it would throw an error here.
One strategy Lit uses is to set their own custom TrustedTypes policy: https://github.com/lit/lit/pull/1772/
I'm a little hesitant to do this though until the API gains wider browser adoption. It's been Chromium-only for years, and the standards positions from WebKit/Firefox seem inconclusive: https://github.com/WebKit/standards-positions/issues/186 https://github.com/mozilla/standards-positions/issues/20
We set
innerHTML
here:https://github.com/nolanlawson/emoji-picker-element/blob/ddb6aa3a9d9830b4b9b467c7219c04e8db1720c5/src/picker/components/Picker/utils.js#L15-L16
This string is inherently safe because it's authored in this codebase and does not include any user-supplied data. However, if a server has a Trusted Types CSP policy, it would throw an error here.
One strategy Lit uses is to set their own custom TrustedTypes policy: https://github.com/lit/lit/pull/1772/
I'm a little hesitant to do this though until the API gains wider browser adoption. It's been Chromium-only for years, and the standards positions from WebKit/Firefox seem inconclusive: https://github.com/WebKit/standards-positions/issues/186 https://github.com/mozilla/standards-positions/issues/20