CSP trusted types is an API that allows a website to reduce the possibility of XSS by controlling what kind of content can be placed in a "sink" like .innerHTML.
This release introduces a flexible callback that allows the calling code to provide its own sanitization or rejection of an server response for an <include-fragment-element>. For example, the site may want to allow the server to send a header to assert that certain HTML is sanitized and safe to use as-is, or the site may want to run the response through a sanitizer.
What's Changed
- move AOR to primer by @keithamus in #80
- Switch Promise chaining to async-await syntax. by @lgarron in #82
- Fix the location of
tryin new async code. by @lgarron in #83 - Fix up types for cached and returned data. by @lgarron in #84
- Add a script for
npm run format. by @lgarron in #85 - Switch to web test runner by @keithamus in #86
- Add
setCSPTrustedTypesPolicy()for CSP trusted types. by @lgarron in #81 - throw errors rather than resolving them by @keithamus in #87
New Contributors
- @lgarron made their first contribution in #82
- @rzhade3 and @fletchto99 made their first contribution in #81
Full Changelog: v6.0.1...v6.1.0