Skip to content

FF145 Relnote: Trusted Types early beta #41518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

FF145 Relnote: Trusted Types early beta #41518

wants to merge 2 commits into from
+104 −21

Conversation

@hamishwillee
Copy link
Collaborator

FF145 supports Trusted Types in early beta in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941

This adds a release note, experimental feature, and updates the API overview page.

Its in draft while I confirm the scope with engineering.

Related work can be tracked in #41507

@github-actions github-actions bot added Content:WebAPI Web API docs Content:Firefox Content in the Mozilla/Firefox subtree size/m [PR only] 51-500 LoC changed labels Oct 14, 2025
github-actions[bot]
github-actions bot reviewed Oct 14, 2025
View reviewed changes
@hamishwillee hamishwillee mentioned this pull request Oct 14, 2025
Open
8 tasks
@github-actions
Copy link
Contributor

github-actions bot commented Oct 14, 2025
edited
Loading

Preview URLs

Flaws (3)

Note! 4 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/HTTP/Guides/CSP
Title: Content Security Policy (CSP)
Flaw count: 3

  • unknown:
    • No generic content config found
    • no blog root
    • no blog root
External URLs (2)

URL: /en-US/docs/Mozilla/Firefox/Experimental_features
Title: Experimental features in Firefox

URL: /en-US/docs/Mozilla/Firefox/Releases/145
Title: Firefox 145 release notes for developers (Beta)

(comment last updated: 2025-10-28 06:16:58)

hamishwillee
hamishwillee commented Oct 14, 2025
View reviewed changes
files/en-us/web/api/trusted_types_api/index.md
Comment on lines 204 to 251
### Extensions to other interfaces

The following sections list injection sinks that are expected to accept trusted types as well as strings.

#### TrustedHTML

- {{domxref("Document.parseHTMLUnsafe_static()")}}
- {{domxref("Document.write()")}}
- {{domxref("DOMParser.parseFromString()")}}
- {{domxref("Element.innerHTML")}}
- {{domxref("Element.insertAdjacentHTML")}}
- {{domxref("Element.outerHTML")}}
- {{domxref("Element.setHTMLUnsafe()")}}
- {{domxref("HTMLIFrameElement.srcdoc")}}
- {{domxref("Range.createContextualFragment()")}}
- {{domxref("ShadowRoot.innerHTML")}}
- {{domxref("ShadowRoot.setHTMLUnsafe()")}}

#### TrustedScript

- {{domxref("HTMLScriptElement.innerText")}}
- {{domxref("HTMLScriptElement.textContent")}}
- {{domxref("HTMLScriptElement.text")}}
- {{domxref("window.setTimeout()")}}
- {{domxref("window.setInterval()")}}

#### TrustedScriptURL

- {{domxref("HTMLScriptElement.src")}}
- {{domxref("SvgAnimatedString.baseVal")}}

## Extensions to HTTP

- {{CSP("require-trusted-types-for")}}
- : Enforces that [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are passed to DOM XSS [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage).
- {{CSP("trusted-types")}}
- : Used to specify an allowlist of [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) policy names.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wbamberg I added the HTTP list to the TT API overview because the associated CSP directives were not obvious, and I added the injection sink lists because these are APIs that were updated as part of this API, even if not covered in the specific spec.

The injection sink lists may not be exhaustive. Best I can do so far.

@github-actions github-actions bot added the merge conflicts 🚧 [PR only] label Oct 24, 2025
@github-actions
Copy link
Contributor

This pull request has merge conflicts that must be resolved before it can be merged.

@hamishwillee hamishwillee force-pushed the ff145rel_tt_early_beta branch from 05e5fd2 to 0b6363d Compare October 27, 2025 01:39
@github-actions github-actions bot added merge conflicts 🚧 [PR only] and removed merge conflicts 🚧 [PR only] labels Oct 27, 2025
@github-actions
Copy link
Contributor

This pull request has merge conflicts that must be resolved before it can be merged.

@hamishwillee hamishwillee force-pushed the ff145rel_tt_early_beta branch from 0b6363d to ddde1a0 Compare October 28, 2025 04:06
@github-actions github-actions bot removed the merge conflicts 🚧 [PR only] label Oct 28, 2025
@hamishwillee hamishwillee force-pushed the ff145rel_tt_early_beta branch from ddde1a0 to 6637909 Compare October 28, 2025 06:15
@github-actions github-actions bot added the Content:HTTP HTTP docs label Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Content:Firefox Content in the Mozilla/Firefox subtree Content:HTTP HTTP docs Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hamishwillee