Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Core: Support Trusted Types #479

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Core: Support Trusted Types #479

wants to merge 1 commit into from

Conversation

tosmolka
Copy link

@tosmolka tosmolka commented Oct 1, 2021

Create HTML from string via custom Trusted Types policy in browsers that support Trusted Types.

This PR fixes #478

@gibson042
Copy link
Member

I am not comfortable with the size increase of this PR and don't know if it can come down enough to change that, although something like this could be attempted:

	trustedTypesPolicy = {
		createHTML: function( html ) {
			return html;
		}
	};

	try {
		trustedTypesPolicy = window.trustedTypes.createPolicy( "sizzle" );
	} catch ( e ) {}

mgol
mgol reviewed Oct 1, 2021
View reviewed changes
Copy link
Member

@mgol mgol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a problem with this approach. A similar jQuery issue about TrustedHTML support was solved by making sure we don't pass unwrapped TrustedHTML input to jQuery manipulation methods; PR: jquery/jquery#4927.

Here, we're using the API directly and this is a Blink-only API. We've historically tried to avoid relying on such APIs in jQuery & Sizzle.

Note that this patch would still not make jQuery 3.x support TrustedHTML as more changes are required and those changes will only be available in jQuery 4.0. Therefore, this patch only has a potential of fixing Sizzle without fixing jQuery.

Ultimately, the decision belongs to @gibson042 who's the Sizzle lead but at this point of the project lifecycle where we're getting close to deprecating Sizzle and only maintaining it as much as jQuery 3.x needs it, I'm not sure if such changes are worth it, especially with the concerns I raised above.

@mgol
Copy link
Member

mgol commented Oct 1, 2021

Also, note that just defining a policy & using it still won't solve all the issues. You can declare in CSP that you not only want to enforce trusted types usage but only allow specific policy names. Such declarations would work with jQuery 4.x now but they'd fail with Sizzle with the current patch.

@mgol mgol closed this Jan 10, 2022
@mgol mgol reopened this Jan 10, 2022
@tosmolka
Copy link
Author

This PR is loosely related to #472 where AdGuard team also proposed TT policy for sizzle.

@mgol
Copy link
Member

mgol commented Feb 14, 2023

@tosmolka To be honest, their approach of forking Sizzle makes sense for their use case. We're going to archive Sizzle soon and jQuery 3.7.0 & newer will have their own embedded selector engine based on Sizzle but cleaned up a lot.

The first jQuery version with Trusted Types support will be 4.0.0.

@mgol mgol mentioned this pull request Sep 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgol mgol mgol left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Trusted Types
3 participants
@tosmolka @gibson042 @mgol