- From: Mike West <notifications@github.com>
- Date: Tue, 03 Mar 2020 22:04:57 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 4 March 2020 06:05:09 UTC
Hey, Peter! Thanks for the feedback! The main reason we ended up reusing `.innerHTML` rather than introducing `.innerTrustedHTML` or similar is deployment cost. As currently specified, Trusted Types can be rolled out to an existing application in a piecemeal fashion in a way that works in both browsers that support the mechanism and those that don't. Changing the DOM entry points themselves would require substantial rewriting and branching at every point at which the DOM is modified; @koto will have more detail here, but my understanding is that most(?) application have significantly fewer points of string creation and/or sanitization than points of usage. Auditing and adjusting the former is a tractable task, branching for the latter would be more difficult. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/198#issuecomment-594344069
Received on Wednesday, 4 March 2020 06:05:09 UTC