search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
600 stars 70 forks source link

Get trusted type compliant attribute value sink #492

Closed lukewarlow closed 5 months ago

lukewarlow commented 6 months ago

https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation - This function specifies that the sink value when calling document.createElement('iframe').setAttribute('srcdoc', 'foo'); should be HTMLIframeElement srcdoc the same as if you did document.createElement('iframe').srcdoc = 'foo';. However, this doesn't match Chromiums behaviour (where the sink is just Element setAttribute.

What should the spec say here? Should it just use the function as the sink (matching implementation)?

cc @koto as he wrote this spec piece.

lukewarlow commented 5 months ago

I've checked with Koto and the spec is intentionally different here. cc @otherdaniel so he's aware or the difference.