Bypasses via attributes

[koto]

In the Chrome version, when require-trusted-types is enabled

a = document.createElement('script')
a.src = 'http://foo.bar' // throws
a.setAttribute('src', 'http://foo.bar') // does not throw, and...
a.outerHTML == "<script src="http://foo.bar"></script>"

In the polyfill this is fixed, but this works:

a = document.createElement('script');
a.setAttribute('src', TrustedScriptURL.unsafelyCreate('http://foo.bar'));
a.attributes.src.value = 'http://evil.com'; // does not throw, and...
a.outerHTML == "<script src="http://evil.com"></script>"

[koto]

As noted by @mikesamuel, bypasses will be possible if a Symbol is enumerable via Object.getOwnPropertySymbols, similarly Object.create can be used to initialise the object without being able to call its constructor.

[koto]

Duplicate of #47.