Skip to content

Conversation

hamishwillee
Copy link
Collaborator

FF145 supports Trusted Types in early beta in https://bugzilla.mozilla.org/show_bug.cgi?id=1992941

This adds a release note, experimental feature, and updates the API overview page.

Its in draft while I confirm the scope with engineering.

Related work can be tracked in #41507

@github-actions github-actions bot added Content:WebAPI Web API docs Content:Firefox Content in the Mozilla/Firefox subtree size/m [PR only] 51-500 LoC changed labels Oct 14, 2025
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Copy link
Contributor

github-actions bot commented Oct 14, 2025

Preview URLs

Flaws (2)

Note! 2 documents with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/API/Trusted_Types_API
Title: Trusted Types API
Flaw count: 2

  • macros:
    • Can't resolve /en-US/docs/Web/API/HTMLScriptElement/innerText
    • Can't resolve /en-US/docs/Web/API/HTMLScriptElement/textContent
External URLs (2)

URL: /en-US/docs/Mozilla/Firefox/Experimental_features
Title: Experimental features in Firefox


URL: /en-US/docs/Mozilla/Firefox/Releases/145
Title: Firefox 145 for developers

(comment last updated: 2025-10-14 02:11:53)

Comment on lines +204 to +240
### Extensions to other interfaces

The following sections list injection sinks that are expected to accept trusted types as well as strings.

#### TrustedHTML

- {{domxref("Document.parseHTMLUnsafe_static()")}}
- {{domxref("Document.write()")}}
- {{domxref("DOMParser.parseFromString()")}}
- {{domxref("Element.innerHTML")}}
- {{domxref("Element.insertAdjacentHTML")}}
- {{domxref("Element.outerHTML")}}
- {{domxref("Element.setHTMLUnsafe()")}}
- {{domxref("HTMLIFrameElement.srcdoc")}}
- {{domxref("Range.createContextualFragment()")}}
- {{domxref("ShadowRoot.innerHTML")}}
- {{domxref("ShadowRoot.setHTMLUnsafe()")}}

#### TrustedScript

- {{domxref("HTMLScriptElement.innerText")}}
- {{domxref("HTMLScriptElement.textContent")}}
- {{domxref("HTMLScriptElement.text")}}
- {{domxref("window.setTimeout()")}}
- {{domxref("window.setInterval()")}}

#### TrustedScriptURL

- {{domxref("HTMLScriptElement.src")}}
- {{domxref("SvgAnimatedString.baseVal")}}

## Extensions to HTTP

- {{CSP("require-trusted-types-for")}}
- : Enforces that [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are passed to DOM XSS [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage).
- {{CSP("trusted-types")}}
- : Used to specify an allowlist of [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) policy names.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wbamberg I added the HTTP list to the TT API overview because the associated CSP directives were not obvious, and I added the injection sink lists because these are APIs that were updated as part of this API, even if not covered in the specific spec.

The injection sink lists may not be exhaustive. Best I can do so far.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Content:Firefox Content in the Mozilla/Firefox subtree Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant