Remove fromLiteral from spec.

w3c · Jan 16, 2024 · 89e93a1 · 89e93a1
1 parent 29e42ec
commit 89e93a1
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 130 deletions.
diff --git a/explainer.md b/explainer.md
@@ -213,26 +213,6 @@ trustedTypes.createPolicy('default', {
 This mechanism complements CSP's `'unsafe-inline'`, allowing the authors to enable strong security 
 controls in their application even if it occasionally uses `javascript:` URLs for legitimate purposes. 
 
-### Source Literals
-
-XSS is an unintended modification of a site's source code. Wrapping literals
-from the original JavaScript resource - which by definition aren't XSS - can be
-cumbersome. Trusted Types provides a way to easily wrap source literals in
-Trusted Types by using the tagged template syntax and the `fromLiteral` methods,
-in a way that cannot be spoofed at runtime:
-
-``` javascript
-const value = TrustedHTML.fromLiteral`<b>Hello there.</b>`;
-```
-
-Note that template literals are passed as arrays of strings to the tag functions.
-`fromLiteral` checks that a passed-in value is actually a template literal
-and not dynamically constructed.
-
-``` javascript
-TrustedHTML.fromLiteral(["<b>Hello there.</b>"]);  // Throws.
-```
-
 ### DOM Sinks
 
 *   **HTML Contexts**: Given something like `typedef (DOMString or TrustedHTML) HTMLString`, we'd

diff --git a/spec/index.bs b/spec/index.bs
@@ -284,7 +284,6 @@ wrappers around a string, constructed via a {{TrustedTypePolicy}}'s
 interface TrustedHTML {
   stringifier;
   DOMString toJSON();
-  static TrustedHTML fromLiteral(object templateStringsArray);
 };
 </pre>
 
@@ -297,9 +296,6 @@ will never change during its lifetime.
 TrustedHTML object are to return the value from its
 `[[Data]]` internal slot.
 
-The <dfn method for="TrustedHTML">fromLiteral(object templateStringsArray)</dfn> method, when invoked, returns the result of executing a [$Create a Trusted Type from literal$] algorithm,
-with {{TrustedHTML}} as |type| and |templateStringsArray| as |template|.
-
 ### <dfn interface>TrustedScript</dfn> ### {#trusted-script}
 
 The TrustedScript interface represents a string with an uncompiled
@@ -314,7 +310,6 @@ around a string, constructed via a {{TrustedTypePolicy}}'s
 interface TrustedScript {
   stringifier;
   DOMString toJSON();
-  static TrustedScript fromLiteral(object templateStringsArray);
 };
 </pre>
 
@@ -327,9 +322,6 @@ will never change during its lifetime.
 TrustedScript object are to return the value from its
 `[[Data]]` internal slot.
 
-The <dfn method for="TrustedScript">fromLiteral(object templateStringsArray)</dfn> method, when invoked, returns the result of executing a [$Create a Trusted Type from literal$] algorithm,
-with {{TrustedScript}} as |type| and |templateStringsArray| as |template|.
-
 ### <dfn interface>TrustedScriptURL</dfn> ### {#trused-script-url}
 
 The TrustedScriptURL interface represents a string that a developer
@@ -344,7 +336,6 @@ string, constructed via a {{TrustedTypePolicy}}'s
 interface TrustedScriptURL {
   stringifier;
   USVString toJSON();
-  static TrustedScriptURL fromLiteral(object templateStringsArray);
 };
 </pre>
 
@@ -357,9 +348,6 @@ will never change during its lifetime.
 TrustedScriptURL object are to return the value from its
 `[[Data]]` internal slot.
 
-The <dfn method for="TrustedScriptURL">fromLiteral(object templateStringsArray)</dfn> method, when invoked, returns the result of executing a [$Create a Trusted Type from literal$] algorithm,
-with {{TrustedScriptURL}} as |type| and |templateStringsArray| as |template|.
-
 ## <dfn>Policies</dfn> ## {#policies-hdr}
 
 Trusted Types can only be created via user-defined
@@ -925,29 +913,6 @@ a string |value| and a list |arguments|, execute the following steps:
     Note: This adds an integration point with [dynamic-code-brand-checks proposal](https://tc39.es/proposal-dynamic-code-brand-checks/).
 1.  Return |trustedObject|.
 
-## <dfn abstract-op>Create a Trusted Type from literal</dfn> ## {#create-a-trusted-type-from-literal-algorithm}
-
-Given a {{TrustedType}} type |type| and an object |template|, execute the following steps:
-
-1.  If [$check templatedness$] of |template| returns false, throw a {{TypeError}}.
-1.  If [$Get$](|template|, "length") is not equal to 1, throw a {{TypeError}}.
-1.  Let |templatedValue| be the result of [$Get$](|template|, 0).
-1.  If |type| is {{TrustedHTML}}, perform the following steps:
-    1.  Let |templateNode| be the results of [=create an element|creating an element=] given "template", the [=HTML namespace=] and [=current global object=]'s [=associated Document=].
-    1.  Assert: |templateNode| is {{HTMLTemplateElement}}.
-    1.  Let |fragment| be the result of invoking [$fragment parsing algorithm$], with |templatedValue| as <var ignore>markup</var>, and |templateNode| as a <var ignore>context element</var>.
-    1.  Set |templatedValue| to be the result of invoking [=HTML fragment serialization algorithm=], with |fragment| as <var ignore>the node</var>.
-
-1. Return a new instance of an interface |type|, with its `[[Data]]` internal slot value set to |templatedValue|.
-
-## Check templatedness of an object ## {#check-templatedness-algorithm}
-
-To <dfn abstract-op>check templatedness</dfn> of an object |value|, perform the following steps. They return a boolean value:
-
-1. Let |realm| be the <a>current Realm Record</a>.
-1. For each |item| of |realm|.\[[TemplateMap]], if |item|.\[[Array]] is |value|, return true.
-1. Return false.
-
 ## <dfn abstract-op>Get Trusted Type compliant string</dfn> ## {#get-trusted-type-compliant-string-algorithm}
 
 This algorithm will return a string that can be used with an

diff --git a/src/trustedtypes.js b/src/trustedtypes.js
@@ -202,30 +202,6 @@ export const trustedTypesBuilderTestOnly = function() {
     }
   }
 
-  /**
-   * @template T
-   * @this {T}
-   * @param {!ITemplateArray} template
-   * @return {T}
-   */
-  function fromLiteral(template) {
-    if (!isFrozen(template)
-        || !isFrozen(template.raw)
-        || template.length !== 1) {
-      // Not a template object.
-      throw new TypeError('Invalid input');
-    }
-    let allowedValue = raw(template);
-    if (this === TrustedHTML) {
-      const tplEl = createElement.call(null, 'template');
-      tplEl.innerHTML = allowedValue;
-      allowedValue = tplEl.innerHTML;
-    }
-    const o = freeze((new this(creatorSymbol, 'fromLiteral')));
-    privates(o)['v'] = allowedValue;
-    return o;
-  }
-
   /**
    * @param {function(new:TrustedType, symbol, string)} SubClass
    * @param {string} canonName The class name which should be independent of
@@ -235,9 +211,6 @@ export const trustedTypesBuilderTestOnly = function() {
   function lockdownTrustedType(SubClass, canonName) {
     freeze(SubClass.prototype);
     delete SubClass.name;
-    defineProperty(SubClass, 'fromLiteral', {value:
-      fromLiteral.bind(SubClass),
-    });
     defineProperty(SubClass, 'name', {value: canonName});
   }
 

diff --git a/tests/trustedtypes_test.js b/tests/trustedtypes_test.js
@@ -623,52 +623,4 @@ describe('TrustedTypes', () => {
       expect(eval(TrustedTypes.emptyScript)).toBeTruthy();
     });
   });
-
-  describe('fromLiteral', () => {
-    it('creates a TrustedScript', () => {
-      const script = TrustedTypes.TrustedScript.fromLiteral`alert(1)`;
-
-      expect(TrustedTypes.isScript(script)).toBe(true);
-      expect('' + script).toEqual('alert(1)');
-    });
-
-    it('creates a TrustedScriptURL', () => {
-      const scriptURL = TrustedTypes.TrustedScriptURL.fromLiteral`https://foo.example`;
-
-      expect(TrustedTypes.isScriptURL(scriptURL)).toBe(true);
-      expect('' + scriptURL).toEqual('https://foo.example');
-    });
-
-    it('creates a TrustedHTML', () => {
-      const html = TrustedTypes.TrustedHTML.fromLiteral`<div>foo</div>`;
-
-      expect(TrustedTypes.isHTML(html)).toBe(true);
-      expect('' + html).toEqual('<div>foo</div>');
-    });
-
-    it('canonicalizes TrustedHTML', () => {
-      const html = TrustedTypes.TrustedHTML.fromLiteral`<div>foo`;
-
-      expect(TrustedTypes.isHTML(html)).toBe(true);
-      expect('' + html).toEqual('<div>foo</div>');
-    });
-
-    it('must be called as a template tag', () => {
-      expect(() => {
-        TrustedTypes.TrustedScript.fromLiteral([`alert(1)`]);
-      }).toThrowError(TypeError);
-    });
-
-    it('must not interpolate', () => {
-      expect(() => {
-        TrustedTypes.TrustedScript.fromLiteral`alert(${'1'})`;
-      }).toThrowError(TypeError);
-    });
-
-    it('cannot be overridden', () => {
-      expect(() => {
-        TrustedTypes.TrustedScript.fromLiteral = () => {};
-      }).toThrow();
-    });
-  });
 });