You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am working on Trusted Types (TT) polyfill which is a new API proposal for mitigating client side DOM XSS by changing the definition of dangerous DOM APIs, called "sinks".
The polyfill works by re-defining the sinks. This works for native DOM API, because properties on the DOM are configurable (see configurable section in Object.defineProperty).
I am working on an example integration of TT polyfill with domino. You can see the preliminary PR in w3c/trusted-types#299. Unfortunately, properties created by domino are non-configurable (e.g. insertAdjacentHTML) and the polyfill code breaks.
I saw a similar (closed) issue #89, for writable properties. This is a bit similar. What I propose is making the properties configurable by default. If there are no objections, I think I should have time to create a PR for this.
Hi,
I am working on Trusted Types (TT) polyfill which is a new API proposal for mitigating client side DOM XSS by changing the definition of dangerous DOM APIs, called "sinks".
The polyfill works by re-defining the sinks. This works for native DOM API, because properties on the DOM are configurable (see
configurablesection in Object.defineProperty).I am working on an example integration of TT polyfill with domino. You can see the preliminary PR in w3c/trusted-types#299. Unfortunately, properties created by domino are non-configurable (e.g. insertAdjacentHTML) and the polyfill code breaks.
I saw a similar (closed) issue #89, for writable properties. This is a bit similar. What I propose is making the properties configurable by default. If there are no objections, I think I should have time to create a PR for this.
cc: @koto
The text was updated successfully, but these errors were encountered: