lukewarlow
commented
5 days ago cc @mbrodesser-Igalia it would be good if you or someone else from mozilla could provide input on whether Gecko has a similar concept to WebKit and Chromium here. If they do then it makes the case for standardising this, and specifically this protection mechanism better.
This issue is here to track the specific spec mechanism for protecting against a script that's edited mid-parse.
To avoid needing to look all over here's a summary. As of https://github.com/w3c/trusted-types/pull/499 all parsed scripts are trusted. The problem with this approach is that a script elements contents can be changed from JS before it finishes parsing. This is case tested by the first subtest of https://wpt.live/trusted-types/HTMLScriptElement-internal-slot.html and https://wpt.live/trusted-types/SVGScriptElement-internal-slot.html.
Chromium and WebKit's approach is to store a boolean flag on the HTML/SVGScriptElement which gets set to true, if the children of the script element are changed by an API. This flag is then checked before setting the script text data.
We cannot spec this directly due to the DOM specs children changed steps not providing the information as to whether something is changed by an API or parser. https://github.com/whatwg/dom/issues/1288 - has been raised to discuss changes to the DOM spec which would be needed for this.