Closed lukewarlow closed 3 months ago
I think we can't use the String context attribute and have to take the TrustedScript directly and have to deal with this almost exactly like eval and Function?
So I've checked Chrome and it works as I would expect, but it's not following the spec. Currently setTimeout as specced should go through all of https://w3c.github.io/trusted-types/dist/spec/#csp-eval but Chrome only uses step 10 onwards for the timers. Which solves the problem but I'm not sure it's easily speccable?
Potentially we can check compilationSink
and if it's timer we can just skip those steps (as the StringContext attribute will already account for it?)
As currently specced setTimeout and setInterval won't always work as expected. We used the String context attribute which works fine, but this means that a plain string is passed to HostEnsureCanCompileStrings which TT will reject (or pass into the default policy).
See https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-timer-functions
Also See https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#timer-initialisation-steps for full steps.
cc @koto @otherdaniel @mbrodesser-Igalia