Seeking Trusted Types feedback on Array.isTemplateObject #519
Comments
|
@koto you're probably best placed to answer this concretely. My understanding is that for TT we don't care about realms. The threat model for TT is untrusted strings being used in "harmless" code. If someone manages to get to a realm with unprotected eval and fake mint a literal string well that's outside the threat model that TT protects against (relies on malicious code already executing on the page). Cc @annevk too |
|
That is correct, the realms don't matter much for the Trusted Types use case; to be more specific, if |
|
Reading the TC39 discussion the underlying assumption here is that template objects will never participate in serialize-deserialize? Is that enshrined somehow? |
|
@annevk This is a good point; what if this is enshrined with a note in both the Array.isTemplateObject description and the serialize-deserialize spec, which says "the template-object-ness is not currently serialized/deserialized; please consider TT implications if you ever do that"? |
|
Currently it would become a plain Array, right? I think adding asserts in serialize-deserialize, possibly with a note, would suffice. |
TC39 recently discussed Array.isTemplateObject, a feature to enable TT to allow literal HTML/JS strings. See the notes at https://github.com/tc39/notes/blob/main/meetings/2024-04/april-10.md#arrayistemplateobject-next-steps
The committee wanted to ask the Trusted Types experts: Do you have a preference for same-realm vs cross-realm brand checks? This question means: when you have multiple same-origin iframes, should
Array.isTemplateObjectguard against cross-realm template objects and return false for them?My impression is that this question shouldn't matter for expected TT use cases, and either option should work. The normal case is that you apply the tag directly to the template, so you're not crossing template boundaries. The test we're doing is for literal-ness, not isolation context (ShadowRealms and cross-origin iframes are already isolated in different ways, which doesn't permit objects including templates to be shared at all).
My understanding is that the realm-specific query was difficult to implement in past attempts, but might be possible to do. The cross-realm check is simpler to specify and implement.
What would you prefer? Once I have an answer from this group, I'll bring it back to TC39 and propose it for Stage 2.7.
The text was updated successfully, but these errors were encountered: