Add trusted types support #1750
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Makes the jasmine html reporter compatible with an enforced Trusted Types policy. This should only be necessary for a limited time, as the next version of the proposed specification will not require any special code for URLS (except javascript: URLS). More info about the proposed Trusted Types standard at https://github.com/WICG/trusted-type
|
Any updates on this change ? |
|
Hm, revisiting, I don't think this is necessary anymore, as the shipping version of TrustedTypes doesn't have or need the createURL function. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Makes the jasmine html reporter compatible with an enforced Trusted Types policy.
This should only be necessary for a limited time, as the next version of the proposed specification will not require any special code for URLS (except javascript: URLS).
Motivation and Context
Trusted Types is a proposed extension to CSP that would allow sites to opt into stricter checks for certain DOM APIs, where the server can specify a set of policies that are allowed to create trusted values that may be used with potentially dangerous DOM APIs.
While the it is still only a proposed standard, it is a good time for authors of major libraries and frameworks to test the Trusted Types system to determine if it matches their security needs.
This change declares a policy named "jasmine" which is then used to bless the URLs that Jasmine constructs internally. A testing environment running jasmine in a recent version of Chrome that is running with the flag
--enable-blink-features=TrustedDOMTypesmay send CSP headers that indicate trust in the "jasmine" policy.This code should only be necessary for a limited time, because the Trusted Types spec has recently been updated to handle anchor URLs more transparently. However I think this change will still be useful to land now, as it will enable libraries and frameworks to test with Jasmine and the current implementation that's available in Chrome today behind a flag.
More info about the proposed Trusted Types standard at https://github.com/WICG/trusted-type
How Has This Been Tested?
I've tested this end to end in Chrome 76.0.3809.87 and 77.0.3865.19 with
--enable-blink-features=TrustedDOMTypes, as well as with other browsers in which this change is a no-op.Types of changes
Checklist:
To test this change on CI we'd need a way to send down CSP headers, and to add a Chrome with
--enable-blink-features=TrustedDOMTypesto the browser matrix. I'm not familiar with configuring sauce or the rest of the jasmine CI infrastructure, but I'm happy to take direction!Related change in Karma: karma-runner/karma#3360