Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add helpers to make it easier to use trusted types #114

Open
ditman opened this issue Dec 5, 2023 · 6 comments
Open

Add helpers to make it easier to use trusted types #114

ditman opened this issue Dec 5, 2023 · 6 comments

Comments

@ditman
Copy link
Member

ditman commented Dec 5, 2023

I think HTMLScriptElement needs a src setter that accepts a TrustedScriptURL.

After conditionally creating a trustedUrl like this:

  // If TrustedTypes are available, prepare a trusted URL.
  web.TrustedScriptURL? trustedUrl;
  if ((web.window as JSObject).hasProperty('trustedTypes'.toJS).toDart) {
    // create a TrustedTypePolicy `policy` object
    trustedUrl = policy.createScriptURL(_url, null);
  }

I'm finding myself doing this:

  final web.HTMLScriptElement script =
      // ignore: avoid_dynamic_calls
      (web.document.createElement('script') as dynamic
        // ignore: unsafe_html
        ..src = (trustedUrl ?? _url)
        ..async = true
        ..defer = true) as web.HTMLScriptElement;

Docs:

(Another way would be to pass trustedUrl.toString(), but that kind of defeats the purpose of TrustedScriptURLs, and would still flag me as unsafe_html I think :/)
@sigmundch
Copy link
Member

Thanks for filing the issue - I like the alternative you did in https://github.com/flutter/packages/pull/5581/files#diff-fef182cc76f54d7074aee070ced4ddd44ad9233ebf438472221dc834f5f342d9 where you added an extra setter with the right type. The workaround using dynamic relies on using the dart:html interceptor, and if one day we remove it (which we hope we do in the future), it would stop working.

This was referenced Dec 7, 2023
Closed
Merged
@ditman
Copy link
Member Author

ditman commented Dec 7, 2023

Yes, the workaround with dynamic felt very iffy, and it triggered a bunch of unsafe_html lints :) Being able to rename the setter was nice!

@srujzs srujzs changed the title Cannot set TrustedScriptURL to HTMLScriptElement.src? Add helpers to make it easier to use trusted types Jan 9, 2024
@srujzs
Copy link
Contributor

srujzs commented Jan 9, 2024

I'm generalizing this issue a bit more to address some other use cases I'm seeing like checking whether trustedTypes is available, and the ability to not pass anything for args in createScriptURL.

@ditman
Copy link
Member Author

ditman commented Feb 16, 2024

Trusted Types with the latest syntax has landed #173 again, but it still needs tweaks to be usable. I've created #175 so we don't forget :)

@kevmoo
Copy link
Member

kevmoo commented Feb 16, 2024

I wonder if we should be able to flag certain top-level..."things" as optional so the generator can understand them...

@ditman
Copy link
Member Author

ditman commented Feb 16, 2024

TrustedTypes is one of the most egregious examples, though:

I'm not aware of any other non-prefixed chrome-only "top level" APIs like this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kevmoo @ditman @sigmundch @srujzs