Re: [whatwg/dom] Trusted types attributes (PR #1268)

# Trusted Types integration with DOM

The DOM spec already contains partial integration with Trusted Types this was included in https://github.com/whatwg/dom/pull/1258

This PR updates the DOM functions related to attributes.

The following functions' IDL are adjusted, to accept a TrustedType (TrustedHTML or TrustedScript or TrustedScriptURL) or a string.

**Element.setAttribute**
**Element.setAttributeNS**

The above two functions are the "sanctioned" methods for updating the value of an attribute, any other way relies on default policy else they'll fail TT checks.

The algorithm for setAttribute function (and the "set an attribute value" algorithm used by setAttributeNS) is updated to call into the Trusted Types such that if the attribute being set is one of those covered by Trusted Types,
the value being set is verified (potentially being replaced with a different value).

These algorithms include some handling for if the trusted types default policy changes whether the attribute being set exists or not.

**Element.setAttributeNode** and **Element.setAttributeNodeNS** both, along with **NamedNodeMap.setNamedItem** and **NamedNodeMap.setNamedItemNS** make use of the "setting an attribute" algorithm, which is similarly updated to call into Trusted Types.

**Attr.value**, **Node.textContent**, and **Node.nodeValue** setters call "set an existing attribute value", this algorithm is updated such that for attributes attached to an element, trusted types is called into and verifies the value.

In all these cases the changes only have any impact for a select few attributes (e.g. event handlers, iframe srcdoc attribute)


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/pull/1268#issuecomment-2165953464
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/dom/pull/1268/c2165953464@github.com>