Re: [whatwg/dom] Trusted Types integration (#789) from Krzysztof Kotowicz on 2019-11-20 (public-webapps-github@w3.org from November 2019)

From: Krzysztof Kotowicz <notifications@github.com>
Date: Wed, 20 Nov 2019 07:36:12 -0800
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/issues/789/556058348@github.com>

> I was hoping to weigh in with the desired "more opinions", but I've ended up pretty confused. Would someone be able to summarize what the current question at hand is?

Roughly summarizing - when we move the trusted values to slots in elements, and use them instead of content attributes when JS code execution might happen, we need to decide what to do if the values were set using DOM APIs that set content attributes - i.e. how and if to use TT in Javascript APIs from the following list:

 * `Element.setAttribute(NS)`
 * `Attr.value` setter
 * `element.attributes.setNamedItem(attrNode)`

> 
> In the meantime, here is my general position:
> 
> I believe that `setAttribute()` should accept trusted type objects; part of the idea of trusted types is that you can stop using the strings throughout your codebase. Saying that authors need to move to properties instead of attributes seems bad.

> I also appreciate the simplicity of the model of attributes being a string -> string map, and think that would be nice to keep. Although we have to recognize that in reality it's a list of `Attr` nodes, not a string -> string map, so the conceptual simplicity is already on shaky ground.
> 
> If you combine these it seems like the simplest way to make it work is to normalize the trusted type object to a string as part of the setAttribute() call, which is part of the "TT-at-sinks" program. This could throw. That sounds like a good path to me.
> 
> It's also reasonable to add a "trusted" or "came from a trusted type" boolean to the `Attr` node concept. (Tracked internally, with no exposed API.) Then setAttribute()'s job would be to set that boolean to true when appropriate, and otherwise leave it at its default of false. That's also reasonable, IMO.

FWIW, Chrome's implementation that added TT support for  `Attr.value`  and `element.attributes.setNamedItem(attrNode)` turned out [fairly simple](https://chromium-review.googlesource.com/c/chromium/src/+/1911215). I think it makes sense if at least `setAttribute(TT)` and `Attr.value` setter (if the attribute is bound to an element) populated the slot for the element. I don't feel strongly about methods that move attr nodes around or storing trustedness in `Attr` itself. I think it would be fine if 

```javascript
const s = document.createElement('script');
s.attributes.setNamedItem(someSrcAttr);
```
succeded, but did not set a slot value, such that TT check would be done in prepare a script later, calling a default policy and likely bailing out. 

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/789#issuecomment-556058348

Received on Wednesday, 20 November 2019 15:36:14 UTC