Skip to content

Integrate Trusted Types enforcement into attribute handling#1268

Merged
annevk merged 13 commits into
whatwg:mainfrom
lukewarlow:trusted-types-attributes
Oct 31, 2025
Merged

Integrate Trusted Types enforcement into attribute handling#1268
annevk merged 13 commits into
whatwg:mainfrom
lukewarlow:trusted-types-attributes

Conversation

@lukewarlow

@lukewarlow lukewarlow commented Mar 27, 2024

Copy link
Copy Markdown
Member

This updates the DOM spec to add the neccessary integration with the Trusted Types spec to ensure attribute values are protected by TT enforcement.

The Element.setAttribute() and Element.setAttributeNS() method steps, along with the "set an attribute" algorithm (which is used by Element.setAttributeNode(), Element.setAttributeNodeNs(), NamedNodeMap.setNamedItem() and NamedNodeMap.setNamedItemNs()), and the "set an existing attribute value" algorithm (which is used by Attr.value, Attr.nodeValue, and Attr.textContent), are all updated to allow Trusted Type's to verify the updated attribute value before it's set.

The IDL definitions for Element.setAttribute() and Element.setAttributeNS() are both updated to take a TrustedType object (can be all 3 types) in addition to DOMString, these two methods are the only "blessed" way to update an attribute value when Trusted Types is enforced.

See and #789. Supercedes #809 and #1247

(See WHATWG Working Mode: Changes for more details.)


Preview | Diff

@lukewarlow

Copy link
Copy Markdown
Member Author

This is a clone of #1247 where I will finish any outstanding work to get this across the line

@lukewarlow
lukewarlow force-pushed the trusted-types-attributes branch 2 times, most recently from 3562fcb to ac5b4aa Compare April 10, 2024 15:52
@lukewarlow
lukewarlow force-pushed the trusted-types-attributes branch from 524d8cd to f8877b6 Compare April 11, 2024 12:18
@lukewarlow
lukewarlow marked this pull request as ready for review April 11, 2024 12:21
@lukewarlow

Copy link
Copy Markdown
Member Author

See also #1258 which is another integration point with the DOM spec that we need for TT.

@lukewarlow
lukewarlow marked this pull request as draft April 15, 2024 10:22
@lukewarlow
lukewarlow force-pushed the trusted-types-attributes branch from f8877b6 to ee9915e Compare April 15, 2024 11:45
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
@lukewarlow
lukewarlow marked this pull request as ready for review April 22, 2024 12:53
@lukewarlow
lukewarlow requested review from annevk and smaug---- April 22, 2024 13:13
@lukewarlow

Copy link
Copy Markdown
Member Author

I think I've addressed all the comments from #1247.

I do want to point out Chrome and WebKit don't (or at least not in a way obvious to me) 100% follow the flow of the spec and as a result this may result in differences specifically in weird cases with attribute mutation.

So that bit especially it would be good to get feedback on.

It's also worth being aware that like Chromium's implementation this spec means that certain ways to update a nodes value don't work with a trusted type object as a user might expect. (e.g. iframe.getAttributeNode('srcdoc').value = trustedHTMLObj; will throw unless allowed by a default policy). I think in pratice this will be fine, and in some cases is the only real option we have without nodes keeping track of whether they're trusted or not (which would add lots of complexity)

@annevk annevk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is either incomplete or makes many cosmetic changes that would be best proposed separately as they confuse me quite a bit.

Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
@lukewarlow
lukewarlow force-pushed the trusted-types-attributes branch from 370f5c9 to 4421d50 Compare April 22, 2024 15:46
@lukewarlow

Copy link
Copy Markdown
Member Author

This change is either incomplete or makes many cosmetic changes that would be best proposed separately as they confuse me quite a bit.

Apologies I thought I'd reverted all of these changes but I missed a few, it's because I changed stuff and then changed it back and this led to some wonky diffs. Have hopefully reverted all of these unnecessary changes

@lukewarlow
lukewarlow force-pushed the trusted-types-attributes branch 2 times, most recently from 1d42460 to 1eeaf00 Compare April 22, 2024 15:52
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs
@lukewarlow

lukewarlow commented May 7, 2024

Copy link
Copy Markdown
Member Author

@otherdaniel, @annevk , and @smaug---- regarding the case where the default policy changes assumptions about the existence of an attribute mid-way through what would you prefer the spec say to do? Currently I've specced to throw, but Chromium currently re-looks up the index (spec doesn't explicitly work on an index basis but Chromium and WebKit do)

@annevk

annevk commented May 13, 2024

Copy link
Copy Markdown
Member

Attributes are stored in a list and those do have indices per Infra. What am I missing?

@lukewarlow

Copy link
Copy Markdown
Member Author

Sorry I mean algorithmically the spec and implementations don't follow the same flow. So it's trickier to reason between the spec and implementation. This might just be my lack of familiarity with these APIs too.

@annevk

annevk commented May 13, 2024

Copy link
Copy Markdown
Member

The path of least resistance is prolly matching Chromium. Introducing new paths that throw is always risky. If you are looking for guidance as to how, I'd need quite a bit more context to provide helpful suggestions.

@lukewarlow
lukewarlow force-pushed the trusted-types-attributes branch 2 times, most recently from 4089eaf to 02db8c7 Compare May 16, 2024 15:41
@lukewarlow
lukewarlow requested a review from otherdaniel May 16, 2024 15:43
@lukewarlow lukewarlow changed the title Trusted types attributes Integrate Trusted Types enforcement into attribute handling Jul 3, 2025
@lukewarlow

Copy link
Copy Markdown
Member Author

@otherdaniel I believe this spec PR fully matches your proposals to call TT as early as possible now. If you've got time I'd be thankful for a review to get another pair of eyes on this.

@annevk annevk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is indeed a whole bit more straightforward to read through.

Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
aarongable pushed a commit to chromium/chromium that referenced this pull request Jul 30, 2025
This brings us in compliance with: whatwg/dom#1268

The code is a bit awkward because we need to support both old and
new spec until the TrustedTypesHTML can be removed.

Bug: 330516530
Change-Id: I9c234c93092c9eacb87977d75623c227727294d7
Fix: https://issues.chromium.org/issues/428754684
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6783830
Reviewed-by: Joey Arhar <jarhar@chromium.org>
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1494165}
TimvdLippe added a commit to TimvdLippe/servo that referenced this pull request Aug 15, 2025
Callers now call `set_attribute` directly, to avoid the
trusted types machinery, as well as skip validation. That's
not required by spec as well.

This implements part of the DOM integration from
whatwg/dom#1268

Part of servo#36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
TimvdLippe added a commit to TimvdLippe/servo that referenced this pull request Aug 15, 2025
Callers now call `set_attribute` directly, to avoid the
trusted types machinery, as well as skip validation. That's
not required by spec as well.

This implements part of the DOM integration from
whatwg/dom#1268

Part of servo#36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

@annevk annevk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fred-wang @otherdaniel if you could reply to @lukewarlow's comment above that would help a lot, thanks! @smaug---- did you want to have another look at this PR as well?

Comment thread dom.bs Outdated
Comment thread dom.bs Outdated
Comment thread dom.bs
Comment thread dom.bs Outdated
@fred-wang

Copy link
Copy Markdown

🎉

@annevk

annevk commented Oct 31, 2025

Copy link
Copy Markdown
Member

Indeed, thanks a lot @lukewarlow for finishing this and @smaug---- for his careful reviews! And of course everyone else that helped improve Trusted Types integration over the years. 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

8 participants