create internal trustedTypes policy only if not specified via config object#801
Conversation
| originalDocument | ||
| ); | ||
| let emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : ''; | ||
| let trustedTypesPolicy; |
There was a problem hiding this comment.
nit: I would move let trustedTypesPolicy declaration just before if (cfg.TRUSTED_TYPES_POLICY) { line
There was a problem hiding this comment.
that wouldn't be possible in the present form of the code, the if condition is part of the _parseConfig function and let trustedTypesPolicy is in the upper scope. Moving it before the if would make it a local variable to _parseConfig and inaccessible to the rest of the methods that look for it on the upper scope. This would be a move involved effort.
There was a problem hiding this comment.
Let's keep current change then if it's intentional.
| ); | ||
| let emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : ''; | ||
| let trustedTypesPolicy; | ||
| let emptyHTML = ''; |
There was a problem hiding this comment.
nit: I would revert let emptyHTML = ''; to original declaration before PR 800
const emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
and move it just after either default or custom trustedTypesPolicy is initialized.
There was a problem hiding this comment.
I believe we would be missing some functionality if we make it a const and initialized one time. Particularly this kind of usage:
try {
DOMPurify.sanitize(dirty1);
} catch(e) {
DOMPurify.sanitize(dirty1, {TRUSTED_TYPES_POLICY: policy});
}
This would be something that developers can use to detect if their host, which they may not control the configuration of, allows the usage of DOMPurify with TT by default or if they need to declare a policy or even create a new instance of DOMPurify for themselves.
There is, however, an alternative to initializing this. Looking at the existing trustedTypes API in Chrome, there seems to be a trustedTypes.emptyHTML signed value built into the API so this declaration would not be needed anymore. We could simply declare it as
const emptyHTML = trustedTypes? trustedTypes.emptyHTML : ''
I did not want to make that change because I do not have enough information to know if the API is considered stable at the moment and if this will be supported in the future. Should be an easy improvement for a follow up PR in case it is.
There was a problem hiding this comment.
Let's keep current change then if it's intentional.
|
Cool, are we ready for a merge? 😊 |
|
@cure53 let's do it! I'm ready to upgrade whenever the new release is published. |
Summary
Before #800:
After #800:
sanitizeandsetConfigallow switching from the internal policy to a user provided one whenTRUSTED_TYPES_POLICYconfiguration option is passed via the configuration object.This PR:
sanitizeorsetConfigif and only ifTRUSTED_TYPES_POLICYconfiguration option is not specified in the configuration object. This maintains behavior prior to support TRUSTED_TYPES_POLICY configuration option #800.Background & Context
See #798 for the background discussion.
Note: since the original
loadDOMPurifytest helper was performing a call tosanitizewithout any configuration option this triggered the creation of the internal policy and I could not write a test to validate that there is no policy created when supplyingTRUSTED_TYPES_POLICYconfiguration option. I had to refactor the helper to allow writing a new test which specifically looks for the number of policies created when DOMPurify is loaded on the page and after calls tosanitize.Tasks