Chrome Version: 72.0.3626.7 (Official Build) dev (64-bit)
OS: gLinux
What steps will reproduce the problem?(1) tt = TrustedTypes.createPolicy('tt', {createURL: s => s})
(2) tt.createURL('a').toString()
What is the expected result?
'a'
What happens instead?
''
tt.createURL('http://a').toString() returns 'http://a' as expected.
I think the report is correct, and I'll fix this soon-ish.
(I'll be on holidays for a a bit, so "soon-ish" will likely be early Jan '19.)
Also, thank you for trying out Trusted Types!
---
The current TrustedURL* implementation(s) wrap a KURL instance (instead of a string), and don't use the base URL to parse relative URLs. That causes the behaviour reported.
I'll need to figure out whether parsing should use the base URL, or whether we shouldn't parse at all and just wrap a string. koto@ said offline he thinks of any Trusted* objects as strings. That probably does make the most sense here.
Yes, I think we should wrap over strings, simply for backwards compatibility. The policies might decide to absolutize the URLs themselves using the document.baseURI or any other base.
Comment 1 by vogelheim@chromium.org
, Dec 11