Skip to content

HTMLScriptElement.src - update for TrustedScriptURL #41413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

HTMLScriptElement.src - update for TrustedScriptURL #41413

wants to merge 3 commits into from
+91 −3

Conversation

hamishwillee
Copy link
Collaborator

This updates the TrustedScriptURL documentation for HTMLScriptElement/src to include information about using it with trusted types.

I don't know why/when it would ever make sense to do take an untrusted string, and if you did, to use trusted types. I've presented this primarily as "Use CSP to restrict the script options but if you have to take and untrusted script then you can use TT".

Project tracking in #37518
@hamishwillee hamishwillee requested a review from a team as a code owner October 7, 2025 06:17
@hamishwillee hamishwillee requested review from wbamberg and removed request for a team October 7, 2025 06:17
@github-actions github-actions bot added Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed labels Oct 7, 2025
@hamishwillee hamishwillee mentioned this pull request Oct 7, 2025
Open
32 tasks
hamishwillee
hamishwillee commented Oct 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Oct 7, 2025
View reviewed changes
files/en-us/web/api/htmlscriptelement/src/index.md
- `TypeError`
- : Thrown if the property is set with a string when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are [enforced by a CSP](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types) and no default policy is defined.
This is also thrown if the fetched URL cannot be successfully parsed as its indicated type, such as a module or importmap.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[mdn-linter] reported by reviewdog 🐶

Suggested change
hamishwillee
hamishwillee commented Oct 7, 2025
View reviewed changes
files/en-us/web/api/htmlscriptelement/src/index.md

- `TypeError`
- : Thrown if the property is set with a string when [Trusted Types](/en-US/docs/Web/API/Trusted_Types_API) are [enforced by a CSP](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types) and no default policy is defined.
This is also thrown if the fetched URL cannot be successfully parsed as its indicated type, such as a module or importmap.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't quite right, but I'm not sure how to be precise.
I believe it is a NetworkError on fetching. TypeError is thrown for an importmap during parsing (https://html.spec.whatwg.org/multipage/webappapis.html#import-map-authoring-requirements), and I think it is a Syntax error you get normally on parsing JavaScript.

Thoughts?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Content:WebAPI Web API docs size/m [PR only] 51-500 LoC changed

1 participant

@hamishwillee