Skip to content

Add HTMLScriptElement IDL changes for Trusted Types#12195

Open
lukewarlow wants to merge 1 commit into
whatwg:mainfrom
lukewarlow:upstream-script-idl-trusted-types
Open

Add HTMLScriptElement IDL changes for Trusted Types#12195
lukewarlow wants to merge 1 commit into
whatwg:mainfrom
lukewarlow:upstream-script-idl-trusted-types

Conversation

@lukewarlow

@lukewarlow lukewarlow commented Feb 24, 2026

Copy link
Copy Markdown
Member

Add HTMLScriptElement IDL changes for Trusted Types

This upstreams the changes to HTMLScriptElement's IDL that was previously patched by the trusted types specification.

HTMLScriptElement now shadows innerText and textContent, so these can take a TrustedScript object.

Its src and text properties are also updated to take TrustedScriptURL and TrustedScript respectively.

Depends on w3c/trusted-types#607

This has no behaviour changes and is just moving spec text from Trusted Types to the HTML spec.

  • At least two implementers are interested (and none opposed):
    • ...
  • Tests are written and can be reviewed and commented upon at:
  • Implementation bugs are filed:
    • Chromium: …
    • Gecko: …
    • WebKit: …
    • Deno (only for timers, structured clone, base64 utils, channel messaging, module resolution, web workers, and web storage): …
    • Node.js (only for timers, structured clone, base64 utils, channel messaging, and module resolution): …
  • Corresponding HTML AAM & ARIA in HTML issues & PRs:
  • MDN issue is filed: …
  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)


/infrastructure.html ( diff )
/scripting.html ( diff )

This upstreams the changes to HTMLScriptElement's IDL that was previously patched by the trusted types specification.

HTMLScriptElement now shadows innerText and textContent, so these can take a TrustedScript object.

Its src and text properties are also updated to take TrustedScriptURL and TrustedScript respectively.
@lukewarlow

lukewarlow commented Feb 24, 2026

Copy link
Copy Markdown
Member Author

Upstreaming these changes without the rest is useful for typescript etc to derive types from IDL, the other parts around script elements are less well defined so probably shouldn't be upstreamed to HTML yet.

Though potentially as a follow-up we can export an algorithm from the Trusted Types spec, that we call from HTML so we're not monkey patching prepare the script algorithm within Trusted Types forevermore.

@annevk annevk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this. I have some concerns:

  1. Did we reach agreement on shadowing all these properties?
  2. I think we should add some kind of issue marker about the unresolved issues with the script element if we make it appear more complete.

@lukewarlow

lukewarlow commented Feb 25, 2026

Copy link
Copy Markdown
Member Author

Did we reach agreement on shadowing all these properties?

It's what is now implemented in all 3 major engines. So I guess yes? I'm not sure if this is something that needs further discussion but I guess the cats already out the bag.

Fwiw it specifically came from a WebKit review on the original design being quite complicated and potentially perf sensitive.

I think we should add some kind of issue marker about the unresolved issues with the script element if we make it appear more complete.

So with these change I did deliberately call into the trusted types spec to avoid anything "unfinished" within the HTML spec itself, but I'm happy to add an issue marker, I'll have a think on exactly what to put in it (happy to take usggestions if you have any)

@lukewarlow

Copy link
Copy Markdown
Member Author

@annevk out of interest if I rebase this and move an issue block somewhere to the script section to replicate what is mentioned in the trusted types spec above incompleteness, would you be open to accepting it? Or do you want an alternative approach? It would be good to fix the webref issue. If it's not desirable to upstream I can look into alternative fixes for that.

@annevk

annevk commented Jun 7, 2026

Copy link
Copy Markdown
Member

I think that would be good enough, yeah.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants