| CARVIEW |
Select Language
HTTP/2 200
date: Sat, 11 Oct 2025 05:23:00 GMT
content-type: text/html; charset=utf-8
cache-control: no-cache
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
referrer-policy: no-referrer-when-downgrade
server-timing: pull_request_layout-fragment;desc="pull_request_layout fragment";dur=327.408801,conversation_content-fragment;desc="conversation_content fragment";dur=1381.393897,conversation_sidebar-fragment;desc="conversation_sidebar fragment";dur=338.105922,nginx;desc="NGINX";dur=1.210892,glb;desc="GLB";dur=137.148832
strict-transport-security: max-age=31536000; includeSubdomains; preload
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
x-content-type-options: nosniff
x-frame-options: deny
x-voltron-version: aab62e3
x-xss-protection: 0
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=fYlARjHZf7YPIdWJOlGafom6npFGgs8T7MnE2zV62plX3BtTh9xk5RS9f7q5Bas1IFMtVfIlrL0hW%2FJeN59knqBmsaLqa2TFZQuhQHGEF3a1cJv3Nv3QR4nwihDiLBI8ho7n3La3GYvM80sDe3mVXnzv6bNsucMPuv5CkhFrLFOhtrmDwVDZDH9Oa7jPvCZWnqmOQ5%2FEOraJVZMflXR8tXgQtv56hRi2gdjmsBCV9BaJJqKHVbXZKmSfSF9q7DJm81VoI4CY6SefOgJnzj%2Bg5Q%3D%3D--tBj7Mo2HjN5FAe2S--%2F98S59Wje6JmgV9T%2BB4TAA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.2112417182.1760160179; Path=/; Domain=github.com; Expires=Sun, 11 Oct 2026 05:22:59 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 11 Oct 2026 05:22:59 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: D3FE:E3EA6:319EE3:46D831:68E9E9B3
feat(runtime-dom): trusted types compatibility by haoqunjiang · Pull Request #10844 · vuejs/core · GitHub
haoqunjiang
changed the title
fix: ensure no trusted types violations on fresh mount
fix: ensure no trusted types violations by default
May 7, 2024
haoqunjiang
changed the title
fix: ensure no trusted types violations by default
feat: ensure no trusted types violations by default
May 8, 2024
haoqunjiang
changed the title
feat: ensure no trusted types violations by default
feat: ensure no trusted types violations
May 8, 2024
haoqunjiang
changed the title
feat: ensure no trusted types violations
feat: ensure no trusted types violations when May 8, 2024
haoqunjiang
changed the title
feat: ensure no trusted types violations when
feat(runtime-dom): a new May 8, 2024
yyx990803
force-pushed
the
feat-trusted-types-compat
branch
from
May 30, 2024 03:27
yyx990803
changed the title
feat(runtime-dom): a new
feat(runtime-dom): trusted types compatibility
Aug 28, 2024
Skip to content
Navigation Menu
{{ message }}
-
-
Notifications
You must be signed in to change notification settings - Fork 8.9k
feat(runtime-dom): trusted types compatibility #10844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Size ReportBundles
Usages
|
|
|
lukewarlow
reviewed
May 5, 2024
lukewarlow
reviewed
May 5, 2024
haoqunjiang
changed the title
haoqunjiang
changed the title
haoqunjiang
changed the title
haoqunjiang
changed the title
__VUE_PROD_TRUSTED_TYPES__ enabled
haoqunjiang
changed the title
__VUE_PROD_TRUSTED_TYPES__ enabled__VUE_PROD_TRUSTED_TYPES__ flag for trusted types compatibility
Am I correct in thinking this also could have a follow up to allow TrustedHTML objects to be passed to v-html? Or is that automatically handled? |
This is automatically handled as this test case shows: https://github.com/vuejs/core/pull/10844/files#diff-5329e45cfbe289d331762479cc76fe38b6657526dc2a9e2cd6f4729baa6b3e44R81-R102 |
This was referenced May 15, 2024
|
Since this is a feat I changed the target branch to |
This isn't a complete fix because `innerHTML` assignment also occurs in `insertStaticContent`. But at least this makes the hello-world app work with trusted types enabled. I'm still figuring out how to add test cases for trusted types. Remaining todos: - [ ] Add test cases for trusted types. - [ ] Fix `insertStaticContent` to be compatible with trusted types, we may need a `vue` policy for that case. - [ ] Add a note in the docs about trusted types compatibility. - [ ] Allow trusted values to be passed to `v-html` and other props, this ultimately fixes vuejs/rfcs#614
…p mounting Because `replaceChildren` isn't supported in all browsers, we still need to use `innerHTML` to clear the container before mounting the app. I left the compat mode implementation in `runtime-core` as is because it doesn't feel right to use a DOM-only API in `runtime-core`.
It seems that the only source of the `content` is the output of `stringifyStatic` in `compiler-dom`. I guess no additional check is needed here.
Setting `textContent` to empty string is the equivalent of setting `innerHTML` to empty string, but it doesn't trigger trusted types policy violation. Though maybe not as clear and performant as `trustedTypes.emptyHTML`, the code is more succint considering that we don't need to check for the existence of `trustedTypes` before using it.
…d default to false
yyx990803
force-pushed
the
feat-trusted-types-compat
branch
from
4b8e4ce to
a608074
Compare
|
After looking at the implementation, the additional code isn't that heavy and I think it's better to always support trusted types without having to explicitly turn it on for production. This also avoids having to update relevant docs / plugins to support the new flag. |
yyx990803
changed the title
__VUE_PROD_TRUSTED_TYPES__ flag for trusted types compatibility
This was referenced Mar 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
You can’t perform that action at this time.
This PR introduces a new
__VUE_PROD_TRUSTED_TYPES__feature flag to enable support for Trusted Types. Addressing vuejs/rfcs#614.For Trusted Types, I created a
vuepolicy to convert the HTML string output from the Vue compiler to theTrustedHTMLtype.This implementation works with the current enforcement of Google Workspace products without any issue.
In some rare circumstances, where the user explicitly configured allowed policy names and not allowing duplicates (
Content-Security-Policy: trusted-types vue <their-custom-policy>;without a trailingallow-duplicates), a second version of Vue on the same web page would fail to create the built-in trusted types policy.This may be solved by allowing users to customize the built-in policy name, but I don't think it's worth the complexity at this moment, considering the low adoption rate of this feature.
Note that the in-browser compiler doesn't benefit from this PR because it's already incompatible with many content security policies anyway.
Remaining todos: