Update standards position on Trusted Types - fixes mozilla#20

activities.json

@@ -1573,8 +1573,8 @@
     "description": "An API that allows applications to lock down powerful APIs to only accept non-spoofable, typed values in place of strings to prevent vulnerabilities caused by using these APIs with attacker-controlled inputs.",
     "id": "trusted-types",
     "mozBugUrl": null,
-    "mozPosition": "neutral",
-    "mozPositionDetail": "The API could be used to harden sites against certain cross-site scripting issues, but it is sufficiently complex that we are concerned that it will not be suitable for many sites.",
+    "mozPosition": "positive",
+    "mozPositionDetail": "Mozilla believes that preventing DOM-based XSS is an important security goal. The track record of preventing DOM-based XSS is convincing. That being said, the Trusted Types specification is also providing API methods with little or unknown value and uptake, like getPropertyType, getAttributeType. Additionally, there are features in the Chrome implementations that are not yet standardized, like the beforepolicycreation event. These should ideally be properly standardized (based on a proven need) or deprecated and removed. Dealing with inscrutable third-party dependencies or external JavaScript has been a major concern of security and enforcing reasonable boundaries is a promising approach. We believe that runtime checking of untrusted HTML might pair well with a Sanitizer API that should be complementary.",
     "mozPositionIssue": 20,
     "org": "W3C",
     "title": "Trusted Types",