Enable Trusted Types #11845
Comments
diracdeltas
added
OS/Android
|
@mariospr do you have any tips on how to do this? |
|
Actually, there's nothing to do for now I think :-) If I'm understanding things right, your PRs from brave/brave-core#6646 and brave/brave-core#6669 removed all traces of insecure assignments to However, as reported in #11642, this started being a problem for Brave when based on Chromium 87, where I needed to add the "Disable Trusted Types mitigation on Brave's Welcome & Rewards pages" patch to make the rewards pages work again. But since your PRs are already in master, and unless there's some other unsafe cases still left in Brave's WebUI pages, we should be able to simply drop that patch I added from the I'll keep this issue open in a tab and will report here once we do such rebase on master and check whether that patch can actually go away for real now. Thanks!! //cc @mkarolin |
|
awesome, thanks! closing for now |
|
Re-opening this since there are still some Brave-specific pages that don't work with Trusted Types. (due to Polymer) |
See https://gist.github.com/shhnjk/a44b13dfdbd83c79bd1e2c1b08508f9d for context.
We should enable Trusted Types by default in WebUI pages and exclude any pages that don't support it yet with
DisableTrustedTypesCSP(https://source.chromium.org/chromium/chromium/src/+/master:content/browser/webui/web_ui_data_source_impl.cc;l=203;drc=2e4a49088b18eee415d8c530dc9b49fd56b33d0c). This will give us parity with Chrome 87: https://bugs.chromium.org/p/chromium/issues/detail?id=41905Upstream pages that don't yet support trusted types:
Note that as of #11642,
src/braveno longer contains any direct calls to innerHTML or dangerouslySetInnerHTMLThe text was updated successfully, but these errors were encountered: