Just wanted to put this on our radar — the Trusted Types Spec WIP in WICG and a related Stage 0 Draft HostEnsureCanCompileStrings Passthru.
Thanks for mentioning this!
I need to look further into the standard to understand more about how Trusted Types need to be used. IIRC, you had explained at one of our meetings that the important thing was to be able to support them within something like ses-frame, so that malicious client code couldn’t use them to bypass the frame’s protections.
Is that the case, or would you explain it differently?
Michael.
From what I’ve seen about Trusted Types, they can be used to:
-
Distinguish otherwise identical string values in ECMAScript code, one of which would fail CSP and the other would not (eval, DOM sinks as they call them).
-
Employ privileged code (precreate named policies) against a
globalThis.TrustedTypesmethod which can then be used to create such strings. -
Those policies can return the original string or throw when you call it with a some string (at least from the examples)
-
Those policies can mutate the string into a complete different one — change an href.
-
If you think you’ve used the genuine policies — you will never know the difference or that something else happened — and likely such strings are intended for secure transactions.
I don’t want to play out those scenarios too far out — I’m not quite the right person to imagine that far out, but it eats at core aspects upon which attenuation would be assured in my opinion.
@markm I just noticed your objection to internally branding primitives specific to realms… Can you elaborate more here?
Personally, I have a more general issue with two identical things from the perspective of JS code having two different semantics if they are switched by accident (ie new Set([a, b])… why are they both here?)
That concern is more general/abstract in my mind though in that it also leaks to other discussion threads not on my mind at the moment where Module Keys are being given similar authority over specifiers — ie far beyond their responsibility (that falls to realms/compartments mappings to do correctly) — all intended to deal with fears over security potentially turning a little too orwellian.