[Feature Request] Trusted Types support

### Problem Statement

_Not sure if this lib is still actively maintained but some of our apps still depend on it and use it_ 

ReactXP framework should support [Trusted Types API](https://w3c.github.io/webappsec-trusted-types/dist/spec/) so that it can be seamlessly integrated with web applications that enforce Trusted Types for all [DOM XSS Injection Sinks](https://w3c.github.io/webappsec-trusted-types/dist/spec/#dom-xss-injection-sinks) (e.g. assignments to Element.innerHTML property) using [require-trusted-types-for CSP directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for). Trusted Types APIs are now fully supported in web browsers based on Blink engine (Chrome, Edge, Electron and others). 

### Proposed solution

First we need to identify all instances where ReactXS integrates with such methods and propose re-factoring. We need to be careful to keep supporting web browsers without Trusted Types support and, obviously, mobile platforms (iOS and Android). 

We know about these locations so far:

- Assigning empty string into Element.innerHTML
  - We could either use [TrustedTypePolicyFactory.emptyHTML](https://w3c.github.io/webappsec-trusted-types/dist/spec/#dom-trustedtypepolicyfactory-emptyhtml) or rewrite using assignment to Element.innerText, call to [Element.replaceChildren()](https://developer.mozilla.org/en-US/docs/Web/API/Element/replaceChildren) and so on.
  - https://github.com/microsoft/reactxp/blob/6b6c56f930aec0bf1250573c691a5c7e6ab05091/src/web/CustomScrollbar.ts#L263
  - https://github.com/microsoft/reactxp/blob/6b6c56f930aec0bf1250573c691a5c7e6ab05091/src/web/CustomScrollbar.ts#L427
  - https://github.com/microsoft/reactxp/blob/6b6c56f930aec0bf1250573c691a5c7e6ab05091/src/web/CustomScrollbar.ts#L432
- Assigning static HTML into Element.innerHTML
  - We could rewrite using standard DOM manipulation functions ([Document.createElement](https://developer.mozilla.org/en-US/docs/Web/API/Document/createElement), [Element.setAttribute()](https://developer.mozilla.org/en-US/docs/Web/API/Element/setAttribute), ...)
  - https://github.com/microsoft/reactxp/blob/6b6c56f930aec0bf1250573c691a5c7e6ab05091/src/web/CustomScrollbar.ts#L249
- Assigning dynamic HTML into HTMLIFrameElement.srcdoc
  - This is in extension, we can maybe ignore or pass content through HTML sanitizer such as [DOMPurify](https://github.com/cure53/DOMPurify)
  - https://github.com/microsoft/reactxp/blob/6b6c56f930aec0bf1250573c691a5c7e6ab05091/extensions/webview/src/web/WebView.tsx#L101

## References

- [Trusted Types Home](https://github.com/w3c/webappsec-trusted-types#trusted-types)
  - [Introduction for Web Developer](https://web.dev/trusted-types/)
  - [Specification](https://w3c.github.io/webappsec-trusted-types/dist/spec/)
  - [Existing Integrations](https://github.com/w3c/webappsec-trusted-types/wiki/Integrations)
  - [FAQ](https://github.com/w3c/webappsec-trusted-types/wiki/FAQ)
  - ...
- [CSP directive require-trusted-types-for](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Feature Request] Trusted Types support #1344

Problem Statement

Proposed solution

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Feature Request] Trusted Types support #1344

Description

Problem Statement

Proposed solution

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions