- Notifications
You must be signed in to change notification settings - Fork23
Make task-lists-elements CSP Trusted Types compatible#35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
da82936 to8fc70a8Compare* this change doesn't actually add any security to task-lists-elements, it effectively just adheres to the trusted types API by not passing bare strings directly to
8fc70a8 to98a446cCompareprimer-css commentedDec 21, 2022
👋 Hello and thanks for pinging us! This issue or PR has been added to our inbox and a Design Infrastructure first responder will review it soon.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks good from a pse-architecture perspective! Its unfortunate we need to be so verbose for something like this but unfortunately we have no way to indicate that aninnerHTML is coming from a hardcoded string 😓
This change makes task-lists-elements compatible with theCSP directive Trusted Types. This CSP directive allows developers to mark a value as a Trusted Type, usually this would be done in conjunction with running some type of sanitizer like DOMPurify to ensure the value doesn't contain any unsafe elements. Fortunately, task-lists-elements doesn't have major violations, just this one. Unfortunately the change in this PR does not buy any security benefits, it just adheres to the Trusted Types API -- not passing bare strings directly to potentially dangerous injection sinks. Currently this implementation is the best way to make this library compatible with trusted types.