Re: [whatwg/dom] Trusted types attributes (PR #1268) from Luke Warlow on 2024-07-16 (public-webapps-github@w3.org from July 2024)

From: Luke Warlow <notifications@github.com>
Date: Tue, 16 Jul 2024 06:50:50 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/pull/1268/review/2180315283@github.com>

@lukewarlow commented on this pull request.



> @@ -6519,6 +6529,11 @@ string <var>namespace</var> (default null):</p>
 
  <li><p>If <var>oldAttr</var> is <var>attr</var>, return <var>attr</var>.
 
+ <li><p>Let <var>verifiedValue</var> be the result of calling <a>verify attribute value</a>
+ <var>attr</var>'s <a for=Attr>value</a> for <var>attr</var>, with <var>element</var>.
+
+ <li><p>Set <var>attr</var>'s <a for=Attr>value</a> to <var>verifiedValue</var>.
+

The default policy doesn't provide context about which element an attribute is set on only the name of the attribute.  In this case this algorithm is triggered by APIs such as setAttributeNode or setNamedItem.

So I don't think there's anything that can happen here that's too bad. Also any mechanism you use inside of the default policy will itself trigger the default policy so it should be fine?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/pull/1268#discussion_r1679441778
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/dom/pull/1268/review/2180315283@github.com>

Received on Tuesday, 16 July 2024 13:50:54 UTC