From 8626e6489b477dad4f0e27b0019e646b6125f1a1 Mon Sep 17 00:00:00 2001
From: Luke Warlow <lwarlow@igalia.com>
Date: Tue, 19 Mar 2024 11:56:08 +0000
Subject: [PATCH] Remove enforcement from embed and object elements

See https://github.com/w3c/trusted-types/issues/305
---
 spec/index.bs | 33 ---------------------------------
 1 file changed, 33 deletions(-)

diff --git a/spec/index.bs b/spec/index.bs
index a70a7c8..c9c4455 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -1093,10 +1093,7 @@ To <dfn abstract-op export>get Trusted Types-compliant attribute value</dfn> on
         <tr><th>Element<th>Attribute namespace<th>Attribute local name<th>TrustedType<th>Sink
       <tbody>
         <tr><td>{{HTMLIFrameElement}}<td>null<td>"srcdoc"<td>{{TrustedHTML}}<td>"HTMLIFrameElement srcdoc"
-        <tr><td>{{HTMLEmbedElement}}<td>null<td>"src"<td>{{TrustedScriptURL}}<td>"HTMLEmbedElement src"
         <tr><td>{{HTMLScriptElement}}<td>null<td>"src"<td>{{TrustedScriptURL}}<td>"HTMLScriptElement src"
-        <tr><td>{{HTMLObjectElement}}<td>null<td>"data"<td>{{TrustedScriptURL}}<td>"HTMLObjectElement data"
-        <tr><td>{{HTMLObjectElement}}<td>null<td>"codebase"<td>{{TrustedScriptURL}}<td>"HTMLObjectElement codebase"
         <tr><td>{{SVGScriptElement}}<td>null<td>"href"<td>{{TrustedScriptURL}}<td>"SVGScriptElement href"
         <tr><td>{{SVGScriptElement}}<td><a>XLink namespace</a><td>"href"<td>{{TrustedScriptURL}}<td>"SVGScriptElement href"
       </tbody>
@@ -1205,21 +1202,6 @@ The first few steps of the [=prepare the script element=] algorithm are modified
   <li>...
   </ol>
 
-### Enforcement in element attributes ### {#enforcement-in-sinks}
-
-This document modifies following IDL attributes of various DOM elements:
-
-<pre class="idl exclude">
-partial interface HTMLEmbedElement {
-  [CEReactions] attribute ScriptURLString src;
-};
-
-partial interface HTMLObjectElement {
-  [CEReactions] attribute ScriptURLString data;
-  [CEReactions] attribute ScriptURLString codeBase; // obsolete
-};
-</pre>
-
 ### Enforcement in timer functions ### {#enforcement-in-timer-functions}
 
 This document modifies the {{WindowOrWorkerGlobalScope}} interface mixin:
@@ -1668,21 +1650,6 @@ restrictions:
 
 * <a href="https://w3c.github.io/webcomponents/spec/imports/">HTML imports</a>
 
-## Plugin navigation ## {#plugins}
-
-Plugin content may have access to the document that embeds it (or; more broadly,
-to the origin it was served from), often giving it the same capabilities
-as DOM XSS. That's why Trusted Types limit {{HTMLEmbedElement}}'s <{embed/src}> to
-{{TrustedScriptURL}}.
-
-However, it is also possible to navigate an existing object / embed to an
-arbitrary location, bypassing the {{TrustedScriptURL}} restriction.
-
-Since plugin content in the web in general is being phased out for other
-security reasons, and their navigation model is in flux, we recommend authors
-to prevent that bypass vector by limiting the plugins altogether with
-[=object-src=]. For example: `Content-Security-Policy: object-src: none`.
-
 ## Script gadgets ## {#script-gadgets}
 
 While Trusted Types logic is called on many operations that results in creating