Re: [w3ctag/design-reviews] Trusted Types (#198) from Hadley Beeman on 2017-09-27 (public-webapps-github@w3.org from September 2017)

From: Hadley Beeman <notifications@github.com>
Date: Wed, 27 Sep 2017 14:47:42 +0000 (UTC)
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/198/332546044@github.com>

Hi @mikewest! Thanks for sending this!  We picked it up at our face-to-face in Nice.  

A few comments and questions:

- Why is trustedURL not a subclass of URL? It would be good if these trusted types should fit meaningfully into the type hierarchy. Example code would help us here.
- Overall, we'd like to encourage you to not do this in IDL but instead do it in example code. 
- It would be good to see integration with es6 template strings. So that it's possible to come up with a typed output.
- The name implies trusted. Can we name it something a bit more functional, like maybe something like "unserialised types for DOM manipulation"? (yes, we know naming is hard :-) )
- This may result in escaping everything — too much work (also including potential risks of jumping back and forth between escape and override escapes seem risk to be error prone)
- Issues with multiple concatenation, e.g., "mystring" + TrustedHTML.escape('unsafe') + "otherstring" - results in JS string, not typed object.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/198#issuecomment-332546044

Received on Wednesday, 27 September 2017 14:48:04 UTC