Add trusted types support to lit html #970
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rictic
requested changes
Jul 31, 2019
There was a problem hiding this comment.
This is looking good, and is the way we'd like to implement DOM sanitization long term.
I'd like to see some tests of attribute setting because that can be fairly tricky. Might be good to test property setting too, though I can't see any reason why that wouldn't work.
We'd also be ok having a development dependency on the trusted types polyfill and including that in security tests.
Compare with #750
koto
reviewed
Aug 14, 2019
Siegrift
force-pushed
the
tt
branch
2 times, most recently
from
51db65b to
7559f33
Compare
Siegrift
force-pushed
the
tt
branch
2 times, most recently
from
9a5064e to
5dd0858
Compare
Siegrift
force-pushed
the
tt
branch
3 times, most recently
from
3ea2969 to
c77bf10
Compare
rictic
reviewed
Aug 29, 2019
|
@rictic Super excited now :) |
rictic
approved these changes
Aug 30, 2019
There was a problem hiding this comment.
Just one suggestion, then I think this is good to go!
@justinfagnani do you want to do a final pass?
rictic
previously approved these changes
Aug 31, 2019
rictic
previously approved these changes
Sep 2, 2019
justinfagnani
requested changes
Sep 3, 2019
Siegrift
force-pushed
the
tt
branch
11 times, most recently
from
e69b8df to
337693c
Compare
|
@rictic @justinfagnani Can you please have a look? I think I resolved all of the comments :) |
justinfagnani
approved these changes
Sep 10, 2019
rictic
approved these changes
Sep 10, 2019
|
Great work! |
TimvdLippe
reviewed
Sep 11, 2019
| // TrustedTypes have been renamed to trustedTypes | ||
| // (https://github.com/WICG/trusted-types/issues/177) | ||
| const trustedTypes = | ||
| (w.trustedTypes || w.trustedTypes) as TrustedTypePolicyFactory; |
There was a problem hiding this comment.
I think one of these should have been w.TrustedTypes?
neuronetio
pushed a commit
to neuronetio/lit-html
that referenced
this pull request
Dec 2, 2019
* Add trusted types support to lit html * PR changes * Resolve PR suggestions, update to latest master * Write attribute tests, fix incorrect tests * Resolve PR issues * Fix formatting * Change TrustedTypes to trustedTypes and improve tests
justinfagnani
added a commit
that referenced
this pull request
Feb 25, 2020
This reverts commit 2a719e6.
justinfagnani
added a commit
that referenced
this pull request
Feb 27, 2020
This reverts commit 2a719e6.
rictic
added a commit
that referenced
this pull request
Apr 30, 2020
This reverts commit cedf4b3. It also refactors the trusted types tests so that they can run with native trusted types enabled. We're not currently testing with trusted types enforced. Need to modify http headers to do that. I've got a karma config we can use once we migrate to karma.
rictic
added a commit
that referenced
this pull request
May 4, 2020
* Revert "Revert "Add trusted types support to lit html (#970)"" This reverts commit cedf4b3. It also refactors the trusted types tests so that they can run with native trusted types enabled. Also revamp the trusted types tests, and run all lit-html tests with trusted types enabled on browsers that support it natively.
bicknellr
added a commit
that referenced
this pull request
May 3, 2021
* Remove trusted types mention from changelog * Adds rendering test composing parts and slots (#1077) * Adds rendering test composing parts and slots Tests if #1046 has been addressed in the webcomponents polyfills. * Update @webcomponents/webcomponentsjs dev dependency to required version * Add 1.2.0 release notes (#1104) * Don't disturb imperatively added classes in classMap (#1112) Fix #1111 Revert classMap to previous implementation, but don't use classList or className. * Fix lint errors (#1116) * Prepare 1.2.0-pre.1 release (#1117) * Link changelog issue (#1118) * Prepare 1.2.0 release (#1128) * Use downlevel-dts, test compile in TS 3.4 (#1129) * Use downlevel-dts, test compile in TS 3.4 Related to lit/lit-element#935 Haven't heard anything about this being a problem for lit-html, but better to be ahead of any issues. * Lock typescript version at ~3.8 Prevent breakage for devs coming into the lit-html repo and doing `npm install` after a new breaking release of TypeScript * Prepare 1.2.1 release (#1130) * Update new task template * Update lint dependencies (#1099) * Update a broken link in the documentation. (#1138) * Doc usability improvements. Fixes #1133. (#1147) * Doc usability improvements. Fixes #1133. * Address feedback. * Fix typo. (#1152) * Update issue templates added label * Restore trusted types (#1153) * Revert "Revert "Add trusted types support to lit html (#970)"" This reverts commit cedf4b3. It also refactors the trusted types tests so that they can run with native trusted types enabled. Also revamp the trusted types tests, and run all lit-html tests with trusted types enabled on browsers that support it natively. * Adds the correct path information to the release notes links for #1163 (#1164) * Updating links in guide to point to correct guides https://lit-html.polymer-project.org/guide/release-notes * Didn't need to actually go down a level in the dir * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> Co-authored-by: Arthur Evans <[email protected]> * Correct copyright dates. (#1171) * Add BLM banner (#1172) * docs: fixed small error (#1180) Since this is just a typo fix in the README, I'm going to go ahead and merge it. * Fix api doc (#1178) * Fixes #1177. * Fix links. * Remove unneeded typedoc tags. * Redirect old API URLs. * Update firefox and edge logo (#1161) Co-authored-by: Arthur Evans <[email protected]> * Update dev server recommendations (#1059) * Update dev server recommendations Came here to fix a broken link, got more than I bargained for. Other recommendations (like linting and IDE plugins) may need updating as well. * Address comments. * Fix typos, add notes on attribute prefixes. (#933) * Fix typos, add notes on attribute prefixes. * More detail on strings param * Run format. * Make IDE plugins links, change recommendation (#956) * Make IDE plugins links, change recommendation I think we should recommend runem.lit-plugin because it supports type checking of template bindings, and it seems to be robust (I ran it across all of google3 and there were only a small number of issues, which I'm sending out PRs for) * Address feedback, update linting suggestion. * Address more feedback. Co-authored-by: Arthur Evans <[email protected]> * Bump lodash from 4.17.15 to 4.17.19 in /docs (#1183) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Arthur Evans <[email protected]> * Set type in package.json to "module" (#1146) This would let Node >=13 to load lit-html as ES modules without any other bundling tools. Move check-version-tracker file extension to .cjs to continue loading it as cjs. * Fix trusted types tests. (#1193) * Fix trusted types tests. Also fix support for trusted types in the unsafeSVG directive. Have to handle IE separately in unsafe-svg because apparently the svgElement.innerHTML setter is a no op in IE :/ * chore(shady-render): export shadyTemplateFactory (#1135) * Update changelog for 1.3.0 * Prepare 1.3.0-pre.1 release * Add 1.3.0 release notes (#1202) * Prep 1.3.0 release * Update package lock * Remove ts3.4 typings before generating * Update Tachometer * Add chromedriver as a devDependency * Fix flaky async-append test * Update build docs (#1201) * Revised build docs WIP. * Update build docs. Fixes #1148. * Address feedback. * Address feedback, fix typos. * Create lit-html-next-bug-report.md (#1308) * Create lit-html-next-bug-report.md Add issue template * Apply suggestions from code review * Create lit-element@next-major issue template (#1320) * Create lit-element-next-bug-report.md * Apply suggestions from code review * Fix issue template formatting * Fix styleMap example (#1433) Example function has a body, hence it doesn't have an implicit return value. An explicit return value is needed for the example to make sense. * Fix typos in 03-styling-templates.md (#1511) * Fix typos in 06-template-reference.md (#1562) * [lit-html] add Lit 2 directive syntax to Lit 1 (#1654) Co-authored-by: Kevin Schaaf <[email protected]> Co-authored-by: Russell Bicknell <[email protected]> * Small fixes to 1.3.0 release ntoes (#1719) * Correct evasive typo (#1725) change "current" -> "currently" * Small tweaks to forward-compat directives (#1748) * [lit-html] Update Twitter handle from polymer -> buildWithLit (#1779) * Add version banner, landing page redirect. (#1786) * [lit-html] Prepare v1.4.0 release (#1809) Co-authored-by: Justin Fagnani <[email protected]> Co-authored-by: Steve Orvell <[email protected]> Co-authored-by: Abraham Williams <[email protected]> Co-authored-by: Peter Burns <[email protected]> Co-authored-by: Abdón Rodríguez Davila <[email protected]> Co-authored-by: Lukas Papay <[email protected]> Co-authored-by: Arthur Evans <[email protected]> Co-authored-by: nicolejadeyee <[email protected]> Co-authored-by: Paul Kinlan <[email protected]> Co-authored-by: 0xflotus <[email protected]> Co-authored-by: Felix Schulze Sindern <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: vikerman <[email protected]> Co-authored-by: Manuel Martín <[email protected]> Co-authored-by: tikotus <[email protected]> Co-authored-by: Nicolás Font <[email protected]> Co-authored-by: Vadim Filimonov <[email protected]> Co-authored-by: Elliott Marquez <[email protected]> Co-authored-by: Kevin Schaaf <[email protected]> Co-authored-by: Todd Pressley <[email protected]> Co-authored-by: Elliott Marquez <[email protected]>
bicknellr
added a commit
that referenced
this pull request
Jul 1, 2021
* Remove trusted types mention from changelog * Adds rendering test composing parts and slots (#1077) * Adds rendering test composing parts and slots Tests if #1046 has been addressed in the webcomponents polyfills. * Update @webcomponents/webcomponentsjs dev dependency to required version * Add 1.2.0 release notes (#1104) * Don't disturb imperatively added classes in classMap (#1112) Fix #1111 Revert classMap to previous implementation, but don't use classList or className. * Fix lint errors (#1116) * Prepare 1.2.0-pre.1 release (#1117) * Link changelog issue (#1118) * Prepare 1.2.0 release (#1128) * Use downlevel-dts, test compile in TS 3.4 (#1129) * Use downlevel-dts, test compile in TS 3.4 Related to lit/lit-element#935 Haven't heard anything about this being a problem for lit-html, but better to be ahead of any issues. * Lock typescript version at ~3.8 Prevent breakage for devs coming into the lit-html repo and doing `npm install` after a new breaking release of TypeScript * Prepare 1.2.1 release (#1130) * Update new task template * Update lint dependencies (#1099) * Update a broken link in the documentation. (#1138) * Doc usability improvements. Fixes #1133. (#1147) * Doc usability improvements. Fixes #1133. * Address feedback. * Fix typo. (#1152) * Update issue templates added label * Restore trusted types (#1153) * Revert "Revert "Add trusted types support to lit html (#970)"" This reverts commit cedf4b3. It also refactors the trusted types tests so that they can run with native trusted types enabled. Also revamp the trusted types tests, and run all lit-html tests with trusted types enabled on browsers that support it natively. * Adds the correct path information to the release notes links for #1163 (#1164) * Updating links in guide to point to correct guides https://lit-html.polymer-project.org/guide/release-notes * Didn't need to actually go down a level in the dir * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> Co-authored-by: Arthur Evans <[email protected]> * Correct copyright dates. (#1171) * Add BLM banner (#1172) * docs: fixed small error (#1180) Since this is just a typo fix in the README, I'm going to go ahead and merge it. * Fix api doc (#1178) * Fixes #1177. * Fix links. * Remove unneeded typedoc tags. * Redirect old API URLs. * Update firefox and edge logo (#1161) Co-authored-by: Arthur Evans <[email protected]> * Update dev server recommendations (#1059) * Update dev server recommendations Came here to fix a broken link, got more than I bargained for. Other recommendations (like linting and IDE plugins) may need updating as well. * Address comments. * Fix typos, add notes on attribute prefixes. (#933) * Fix typos, add notes on attribute prefixes. * More detail on strings param * Run format. * Make IDE plugins links, change recommendation (#956) * Make IDE plugins links, change recommendation I think we should recommend runem.lit-plugin because it supports type checking of template bindings, and it seems to be robust (I ran it across all of google3 and there were only a small number of issues, which I'm sending out PRs for) * Address feedback, update linting suggestion. * Address more feedback. Co-authored-by: Arthur Evans <[email protected]> * Bump lodash from 4.17.15 to 4.17.19 in /docs (#1183) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Arthur Evans <[email protected]> * Set type in package.json to "module" (#1146) This would let Node >=13 to load lit-html as ES modules without any other bundling tools. Move check-version-tracker file extension to .cjs to continue loading it as cjs. * Fix trusted types tests. (#1193) * Fix trusted types tests. Also fix support for trusted types in the unsafeSVG directive. Have to handle IE separately in unsafe-svg because apparently the svgElement.innerHTML setter is a no op in IE :/ * chore(shady-render): export shadyTemplateFactory (#1135) * Update changelog for 1.3.0 * Prepare 1.3.0-pre.1 release * Add 1.3.0 release notes (#1202) * Prep 1.3.0 release * Update package lock * Remove ts3.4 typings before generating * Update Tachometer * Add chromedriver as a devDependency * Fix flaky async-append test * Update build docs (#1201) * Revised build docs WIP. * Update build docs. Fixes #1148. * Address feedback. * Address feedback, fix typos. * Create lit-html-next-bug-report.md (#1308) * Create lit-html-next-bug-report.md Add issue template * Apply suggestions from code review * Create lit-element@next-major issue template (#1320) * Create lit-element-next-bug-report.md * Apply suggestions from code review * Fix issue template formatting * Fix styleMap example (#1433) Example function has a body, hence it doesn't have an implicit return value. An explicit return value is needed for the example to make sense. * Fix typos in 03-styling-templates.md (#1511) * Fix typos in 06-template-reference.md (#1562) * [lit-html] add Lit 2 directive syntax to Lit 1 (#1654) Co-authored-by: Kevin Schaaf <[email protected]> Co-authored-by: Russell Bicknell <[email protected]> * Small fixes to 1.3.0 release ntoes (#1719) * Correct evasive typo (#1725) change "current" -> "currently" * Small tweaks to forward-compat directives (#1748) * [lit-html] Update Twitter handle from polymer -> buildWithLit (#1779) * Add version banner, landing page redirect. (#1786) * [lit-html] Prepare v1.4.0 release (#1809) * build: add lit 2 directive files for publish (#1841) * Prepare lit-html 1.4.1 release (#1849) * Update social media links. (#1813) * [lit-html] Add `PropertyPart` to directives forward-compat file. (#1869) * Add `PropertyPart` to directives forward-compat file. * Test that `PartInfo`s provided to directives have the correct `.type`. * Use better names in templates used to test PartInfo. * Remove unnecessary constructor. * format * `lit-html-1.x`: Run tests on GitHub actions (#1967) * Copy test workflow from main branch. * Update test workflows to work with the lit-html-1.x branch. * Run local tests in XVFB * Update `actions/setup-node` and node version. * Remove 'benchmarks.yml' reference in comments. * Delete `.travis.yml` and `travis-bench.sh`. * Initial attempt at porting the benchmarks to a GitHub action. * Update tachometer. * Copy benchmarks workflow from main branch. * Update benchmark workflow to work with the lit-html-1.x branch. * Fix node_modules key. * Update to `actions/setup-node@v2`. * Use `git+https` protocol to avoid SSH which doesn't seem to work. * Move tachometer config to an external file. * Fix benchmark names in report action. * Update chromedriver. * Update URLs and references in tachometer.json . * Update ref in tachometer.json . * Update badge in README.md . * Remove `report-id` field from Tachometer reporter step. * Upstream cl/376929825: Fix compilation issues with TypeScript 4.3. (#1940) Co-authored-by: Justin Fagnani <[email protected]> Co-authored-by: Steve Orvell <[email protected]> Co-authored-by: Abraham Williams <[email protected]> Co-authored-by: Peter Burns <[email protected]> Co-authored-by: Abdón Rodríguez Davila <[email protected]> Co-authored-by: Lukas Papay <[email protected]> Co-authored-by: Arthur Evans <[email protected]> Co-authored-by: nicolejadeyee <[email protected]> Co-authored-by: Paul Kinlan <[email protected]> Co-authored-by: 0xflotus <[email protected]> Co-authored-by: Felix Schulze Sindern <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: vikerman <[email protected]> Co-authored-by: Manuel Martín <[email protected]> Co-authored-by: tikotus <[email protected]> Co-authored-by: Nicolás Font <[email protected]> Co-authored-by: Vadim Filimonov <[email protected]> Co-authored-by: Elliott Marquez <[email protected]> Co-authored-by: Kevin Schaaf <[email protected]> Co-authored-by: Todd Pressley <[email protected]> Co-authored-by: Elliott Marquez <[email protected]>
bicknellr
added a commit
that referenced
this pull request
Aug 6, 2021
* Remove trusted types mention from changelog * Adds rendering test composing parts and slots (#1077) * Adds rendering test composing parts and slots Tests if #1046 has been addressed in the webcomponents polyfills. * Update @webcomponents/webcomponentsjs dev dependency to required version * Add 1.2.0 release notes (#1104) * Don't disturb imperatively added classes in classMap (#1112) Fix #1111 Revert classMap to previous implementation, but don't use classList or className. * Fix lint errors (#1116) * Prepare 1.2.0-pre.1 release (#1117) * Link changelog issue (#1118) * Prepare 1.2.0 release (#1128) * Use downlevel-dts, test compile in TS 3.4 (#1129) * Use downlevel-dts, test compile in TS 3.4 Related to lit/lit-element#935 Haven't heard anything about this being a problem for lit-html, but better to be ahead of any issues. * Lock typescript version at ~3.8 Prevent breakage for devs coming into the lit-html repo and doing `npm install` after a new breaking release of TypeScript * Prepare 1.2.1 release (#1130) * Update new task template * Update lint dependencies (#1099) * Update a broken link in the documentation. (#1138) * Doc usability improvements. Fixes #1133. (#1147) * Doc usability improvements. Fixes #1133. * Address feedback. * Fix typo. (#1152) * Update issue templates added label * Restore trusted types (#1153) * Revert "Revert "Add trusted types support to lit html (#970)"" This reverts commit cedf4b3. It also refactors the trusted types tests so that they can run with native trusted types enabled. Also revamp the trusted types tests, and run all lit-html tests with trusted types enabled on browsers that support it natively. * Adds the correct path information to the release notes links for #1163 (#1164) * Updating links in guide to point to correct guides https://lit-html.polymer-project.org/guide/release-notes * Didn't need to actually go down a level in the dir * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> * Update docs/guide/release-notes/1.2.0.md Co-authored-by: Arthur Evans <[email protected]> Co-authored-by: Arthur Evans <[email protected]> * Correct copyright dates. (#1171) * Add BLM banner (#1172) * docs: fixed small error (#1180) Since this is just a typo fix in the README, I'm going to go ahead and merge it. * Fix api doc (#1178) * Fixes #1177. * Fix links. * Remove unneeded typedoc tags. * Redirect old API URLs. * Update firefox and edge logo (#1161) Co-authored-by: Arthur Evans <[email protected]> * Update dev server recommendations (#1059) * Update dev server recommendations Came here to fix a broken link, got more than I bargained for. Other recommendations (like linting and IDE plugins) may need updating as well. * Address comments. * Fix typos, add notes on attribute prefixes. (#933) * Fix typos, add notes on attribute prefixes. * More detail on strings param * Run format. * Make IDE plugins links, change recommendation (#956) * Make IDE plugins links, change recommendation I think we should recommend runem.lit-plugin because it supports type checking of template bindings, and it seems to be robust (I ran it across all of google3 and there were only a small number of issues, which I'm sending out PRs for) * Address feedback, update linting suggestion. * Address more feedback. Co-authored-by: Arthur Evans <[email protected]> * Bump lodash from 4.17.15 to 4.17.19 in /docs (#1183) Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.15...4.17.19) Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Arthur Evans <[email protected]> * Set type in package.json to "module" (#1146) This would let Node >=13 to load lit-html as ES modules without any other bundling tools. Move check-version-tracker file extension to .cjs to continue loading it as cjs. * Fix trusted types tests. (#1193) * Fix trusted types tests. Also fix support for trusted types in the unsafeSVG directive. Have to handle IE separately in unsafe-svg because apparently the svgElement.innerHTML setter is a no op in IE :/ * chore(shady-render): export shadyTemplateFactory (#1135) * Update changelog for 1.3.0 * Prepare 1.3.0-pre.1 release * Add 1.3.0 release notes (#1202) * Prep 1.3.0 release * Update package lock * Remove ts3.4 typings before generating * Update Tachometer * Add chromedriver as a devDependency * Fix flaky async-append test * Update build docs (#1201) * Revised build docs WIP. * Update build docs. Fixes #1148. * Address feedback. * Address feedback, fix typos. * Create lit-html-next-bug-report.md (#1308) * Create lit-html-next-bug-report.md Add issue template * Apply suggestions from code review * Create lit-element@next-major issue template (#1320) * Create lit-element-next-bug-report.md * Apply suggestions from code review * Fix issue template formatting * Fix styleMap example (#1433) Example function has a body, hence it doesn't have an implicit return value. An explicit return value is needed for the example to make sense. * Fix typos in 03-styling-templates.md (#1511) * Fix typos in 06-template-reference.md (#1562) * [lit-html] add Lit 2 directive syntax to Lit 1 (#1654) Co-authored-by: Kevin Schaaf <[email protected]> Co-authored-by: Russell Bicknell <[email protected]> * Small fixes to 1.3.0 release ntoes (#1719) * Correct evasive typo (#1725) change "current" -> "currently" * Small tweaks to forward-compat directives (#1748) * [lit-html] Update Twitter handle from polymer -> buildWithLit (#1779) * Add version banner, landing page redirect. (#1786) * [lit-html] Prepare v1.4.0 release (#1809) * build: add lit 2 directive files for publish (#1841) * Prepare lit-html 1.4.1 release (#1849) * Update social media links. (#1813) * [lit-html] Add `PropertyPart` to directives forward-compat file. (#1869) * Add `PropertyPart` to directives forward-compat file. * Test that `PartInfo`s provided to directives have the correct `.type`. * Use better names in templates used to test PartInfo. * Remove unnecessary constructor. * format * `lit-html-1.x`: Run tests on GitHub actions (#1967) * Copy test workflow from main branch. * Update test workflows to work with the lit-html-1.x branch. * Run local tests in XVFB * Update `actions/setup-node` and node version. * Remove 'benchmarks.yml' reference in comments. * Delete `.travis.yml` and `travis-bench.sh`. * Initial attempt at porting the benchmarks to a GitHub action. * Update tachometer. * Copy benchmarks workflow from main branch. * Update benchmark workflow to work with the lit-html-1.x branch. * Fix node_modules key. * Update to `actions/setup-node@v2`. * Use `git+https` protocol to avoid SSH which doesn't seem to work. * Move tachometer config to an external file. * Fix benchmark names in report action. * Update chromedriver. * Update URLs and references in tachometer.json . * Update ref in tachometer.json . * Update badge in README.md . * Remove `report-id` field from Tachometer reporter step. * Upstream cl/376929825: Fix compilation issues with TypeScript 4.3. (#1940) * `lit-html-1.x`: Replace local type declarations for polyfill APIs with those imported from the polyfills. (#2017) * Temporarily add local tarball based off of the `ts-externs` branch in webcomponents/polyfills. * Use the polyfill tarball package. * Remove local polyfill type declarations and reference those from the polyfill package instead. * format * Update webcomponentsjs tarball. * Replace local polyfills tarball with `@webcomponents/webcomponentsjs@^2.6.0`. Co-authored-by: Justin Fagnani <[email protected]> Co-authored-by: Steve Orvell <[email protected]> Co-authored-by: Abraham Williams <[email protected]> Co-authored-by: Peter Burns <[email protected]> Co-authored-by: Abdón Rodríguez Davila <[email protected]> Co-authored-by: Lukas Papay <[email protected]> Co-authored-by: Arthur Evans <[email protected]> Co-authored-by: nicolejadeyee <[email protected]> Co-authored-by: Paul Kinlan <[email protected]> Co-authored-by: 0xflotus <[email protected]> Co-authored-by: Felix Schulze Sindern <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: vikerman <[email protected]> Co-authored-by: Manuel Martín <[email protected]> Co-authored-by: tikotus <[email protected]> Co-authored-by: Nicolás Font <[email protected]> Co-authored-by: Vadim Filimonov <[email protected]> Co-authored-by: Elliott Marquez <[email protected]> Co-authored-by: Kevin Schaaf <[email protected]> Co-authored-by: Todd Pressley <[email protected]> Co-authored-by: Elliott Marquez <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trusted Types
Trusted Types (spec, introductory article) is a new experimental DOM API implemented within the WICG, with a working Chrome implementation.
The API creates a few new objects available on the global object in the browser, like most other web APIs (impl in TS and in Closure compiler).
Under certain conditions, controlled by a HTTP header (analogous to Content-Security-Policy behavior), the API can enable the enforcement - then it changes the signature of several DOM API functions and property setters, such that they accept specific object types, and reject strings. Colloquially, DOM API becomes strongly typed.
For example, with Trusted Types Element.innerHTML property setter accepts a TrustedHTML object.
Trusted Type objects stringify to their inner value. This API shape is a deliberate choice that enables existing web applications and libraries to gradually migrate from strings to Trusted Types without breaking functionality. In our example, it makes it possible to write the following:
The above code works regardless if the Trusted Types enforcement is enabled or not.
Reading from the DOM is unaffected, so Element.innerHTML getter returns a string. That's for practical reasons -- web applications read from DOM more often than they write to it, and only writing exposes the application to DOM XSS risks. Typing only the setters allows us to secure web applications with minimal code changes.
Adding Trusted Types to Polymer
Polymer is one of the most popular frameworks for building frontend applications. It uses Lit Element and Lit HTML for rendering components.
Lit Element - manipulates dangerous DOM sink only in
updating-element.ts(setAttribute, line 543). This place is however under control of user. This means that if user wants to set value for an attribute which can potentially cause XSS and he has enabled Trusted Types enforcement he can use Trusted Value instead of string. That means, that there are no changes required for this module.Lit HTML - Is a templating library, which converts the template to DOM. There are a few places which need to be changed to enable Trusted Types.
innerHTMLof template element which will cause an error if Trusted Types are enforced. There is no way user can convert this value to Trusted Type. Instead, we will create a policy for Lit HTML calledlit-htmland convert this value to Trusted Type internally. Users using polymer only need to addlit-htmlto the CSP header of Trusted Types.There is also an option to use
unsafeHTML. This however expects users which have Trusted Types enforcement enabled to provide a Trusted Value.Lastly, place which toggles an boolean attribute which is safe, as boolean attributes can't cause xss and will never require Trusted Values.