diff --git a/packages/compiler/src/schema/trusted_types_sinks.ts b/packages/compiler/src/schema/trusted_types_sinks.ts index 49d03aa7fab..0d69ccee47f 100644 --- a/packages/compiler/src/schema/trusted_types_sinks.ts +++ b/packages/compiler/src/schema/trusted_types_sinks.ts @@ -11,7 +11,7 @@ * tags use '*'. * * Extracted from, and should be kept in sync with - * https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations + * https://www.w3.org/TR/trusted-types/#integrations */ const TRUSTED_TYPES_SINKS = new Set([ // NOTE: All strings in this set *must* be lowercase! @@ -25,6 +25,7 @@ const TRUSTED_TYPES_SINKS = new Set([ // TrustedScriptURL 'embed|src', + 'iframe|src', 'object|codebase', 'object|data', ]); diff --git a/packages/compiler/test/schema/trusted_types_sinks_spec.ts b/packages/compiler/test/schema/trusted_types_sinks_spec.ts index d6f8dc96be3..dca36afa89a 100644 --- a/packages/compiler/test/schema/trusted_types_sinks_spec.ts +++ b/packages/compiler/test/schema/trusted_types_sinks_spec.ts @@ -13,6 +13,7 @@ describe('isTrustedTypesSink', () => { expect(isTrustedTypesSink('iframe', 'srcdoc')).toBeTrue(); expect(isTrustedTypesSink('p', 'innerHTML')).toBeTrue(); expect(isTrustedTypesSink('embed', 'src')).toBeTrue(); + expect(isTrustedTypesSink('iframe', 'src')).toBeTrue(); expect(isTrustedTypesSink('a', 'href')).toBeFalse(); expect(isTrustedTypesSink('base', 'href')).toBeFalse(); expect(isTrustedTypesSink('div', 'style')).toBeFalse();