Re: [whatwg/dom] Trusted Types integration (#789)

I was hoping to weigh in with the desired "more opinions", but I've ended up pretty confused. Would someone be able to summarize what the current question at hand is?

In the meantime, here is my general position:

I believe that `setAttribute()` should accept trusted type objects; part of the idea of trusted types is that you can stop using the strings throughout your codebase. Saying that authors need to move to properties instead of attributes seems bad.

I also appreciate the simplicity of the model of attributes being a string -> string map, and think that would be nice to keep. Although we have to recognize that in reality it's a list of `Attr` nodes, not a string -> string map, so the conceptual simplicity is already on shaky ground.

If you combine these it seems like the simplest way to make it work is to normalize the trusted type object to a string as part of the setAttribute() call, which is part of the "TT-at-sinks" program. This could throw. That sounds like a good path to me.

It's also reasonable to add a "trusted" or "came from a trusted type" boolean to the `Attr` node concept. (Tracked internally, with no exposed API.) Then setAttribute()'s job would be to set that boolean to true when appropriate, and otherwise leave it at its default of false. That's also reasonable, IMO.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/789#issuecomment-555203213

Received on Monday, 18 November 2019 20:51:18 UTC