Use setting via setStrictTemplatePolicy export.

lib/elements/dom-bind.js

@@ -12,6 +12,7 @@ import '../utils/boot.js';
 import { PropertyEffects } from '../mixins/property-effects.js';
 import { OptionalMutableData } from '../mixins/mutable-data.js';
 import { GestureEventListeners } from '../mixins/gesture-event-listeners.js';
+import { strictTemplatePolicy } from '../utils/settings.js';
 
 /**
  * @constructor
@@ -50,7 +51,7 @@ export class DomBind extends domBindBase {
 
   constructor() {
     super();
-    if (window.strictTemplatePolicy) {
+    if (strictTemplatePolicy) {
       throw new Error(`strictTemplatePolicy: dom-bind not allowed`);
     }
     this.root = null;

lib/elements/dom-module.js

@@ -10,6 +10,7 @@ subject to an additional IP rights grant found at http://polymer.github.io/PATEN
 import '../utils/boot.js';
 
 import { resolveUrl, pathFromUrl } from '../utils/resolve-url.js';
+import { strictTemplatePolicy } from '../utils/settings.js';
 
 let modules = {};
 let lcModules = {};
@@ -121,7 +122,7 @@ export class DomModule extends HTMLElement {
   register(id) {
     id = id || this.id;
     if (id) {
-      if (window.strictTemplatePolicy && findModule(id)) {
+      if (strictTemplatePolicy && findModule(id)) {
         modules[id] = lcModules[id.toLowerCase()] = null;
         throw new Error(`strictTemplatePolicy: dom-module ${id} registered twice`);
       }

lib/legacy/class.js

@@ -7,9 +7,10 @@ The complete set of contributors may be found at http://polymer.github.io/CONTRI
 Code distributed by Google as part of the polymer project is also
 subject to an additional IP rights grant found at http://polymer.github.io/PATENTS.txt
 */
-import { LegacyElementMixin } from './legacy-element-mixin.js';
 
+import { LegacyElementMixin } from './legacy-element-mixin.js';
 import { DomModule } from '../elements/dom-module.js';
+import { strictTemplatePolicy } from '../utils/settings.js';
 
 let metaProps = {
   attached: true,
@@ -156,7 +157,7 @@ function GenerateClassFromInfo(info, Base) {
       // get template first from any imperative set in `info._template`
       return info._template ||
         // next look in dom-module associated with this element's is.
-        (!window.strictTemplatePolicy && (DomModule && DomModule.import(this.is, 'template'))) ||
+        (!strictTemplatePolicy && (DomModule && DomModule.import(this.is, 'template'))) ||
         // next look for superclass template (note: use superclass symbol
         // to ensure correct `this.is`)
         Base.template ||

lib/mixins/element-mixin.js

@@ -16,6 +16,7 @@ import { pathFromUrl, resolveCss, resolveUrl as resolveUrl$0 } from '../utils/re
 import { DomModule } from '../elements/dom-module.js';
 import { PropertyEffects } from './property-effects.js';
 import { PropertiesMixin } from './properties-mixin.js';
+import { strictTemplatePolicy } from '../utils/settings.js';
 
 /**
  * Element class mixin that provides the core API for Polymer's meta-programming
@@ -378,7 +379,7 @@ export const ElementMixin = dedupingMixin(base => {
      */
     static get template() {
       if (!this.hasOwnProperty(JSCompiler_renameProperty('_template', this))) {
-        this._template = (!window.strictTemplatePolicy && DomModule && DomModule.import(
+        this._template = (!strictTemplatePolicy && DomModule && DomModule.import(
           /** @type {PolymerElementConstructor}*/ (this).is, 'template')) ||
           // note: implemented so a subclass can retrieve the super
           // template; call the super impl this way so that `this` points

lib/utils/settings.js

@@ -38,11 +38,10 @@ export const setRootPath = function(path) {
 };
 
 /**
- * A global callback used to sanitize any value before inserting it into the DOM. The callback signature is:
+ * A global callback used to sanitize any value before inserting it into the DOM.
+ * The callback signature is:
  *
- *     Polymer = {
- *       sanitizeDOMValue: function(value, name, type, node) { ... }
- *     }
+ *  function sanitizeDOMValue(value, name, type, node) { ... }
  *
  * Where:
  *
@@ -66,6 +65,7 @@ export const setSanitizeDOMValue = function(newSanitizeDOMValue) {
   sanitizeDOMValue = newSanitizeDOMValue;
 };
 
+
 /**
  * Globally settable property to make Polymer Gestures use passive TouchEvent listeners when recognizing gestures.
  * When set to `true`, gestures made from touch will not be able to prevent scrolling, allowing for smoother
@@ -83,3 +83,22 @@ export let passiveTouchGestures = false;
 export const setPassiveTouchGestures = function(usePassive) {
   passiveTouchGestures = usePassive;
 };
+
+/**
+ * Setting to ensure Polymer template evaluation only occurs based on tempates
+ * defined in trusted script.  When true, `<dom-module>` based template lookup
+ * is disabled, `<dom-bind>` is disabled, and `<dom-if>`/`<dom-repeat>`
+ * templates will only evaluate in the context of a trusted element template.
+ */
+export let strictTemplatePolicy = false;
+
+/**
+ * Sets `strictTemplatePolicy` globally for all elements
+ *
+ * @param {boolean} useStrictPolicy enable or disable strict template policy
+ *   globally
+ * @return {void}
+ */
+export const setStrictTemplatePolicy = function(useStrictPolicy) {
+  strictTemplatePolicy = useStrictPolicy;
+};

lib/utils/templatize.js

@@ -11,6 +11,7 @@ import './boot.js';
 
 import { PropertyEffects } from '../mixins/property-effects.js';
 import { MutableData } from '../mixins/mutable-data.js';
+import { strictTemplatePolicy } from '../utils/settings.js';
 
 // Base class for HTMLTemplateElement extension that has property effects
 // machinery for propagating host properties to children. This is an ES5
@@ -495,7 +496,7 @@ and this string can then be deleted`;
  * @suppress {invalidCasts}
  */
 export function templatize(template, owner, options) {
-  if (window.strictTemplatePolicy && !owner._methodHost) {
+  if (strictTemplatePolicy && !owner._methodHost) {
     throw new Error('strictTemplatePolicy: template owner not trusted');
   }
   options = /** @type {!TemplatizeOptions} */(options || {});

test/unit/strict-template-policy.html

@@ -15,8 +15,9 @@ subject to an additional IP rights grant found at http://polymer.github.io/PATEN
   <script src="wct-browser-config.js"></script>
   <script src="../../node_modules/wct-browser-legacy/browser.js"></script>
   <script type="module">
-      import {Debouncer} from '../../lib/utils/debounce.js';
-      window.strictTemplatePolicy = true;
+      import { setStrictTemplatePolicy } from '../../lib/utils/settings.js';
+      import { Debouncer } from '../../lib/utils/debounce.js';
+      setStrictTemplatePolicy(true);
       // Errors thrown in custom element reactions are not thrown up
       // the call stack to the dom methods that provoked them, so need
       // to catch them here and prevent mocha from complaining about them
@@ -88,6 +89,9 @@ subject to an additional IP rights grant found at http://polymer.github.io/PATEN
             throw new Error(window.globalError.message);
           }
         }, re);
+        if (HTMLTemplateElement.bootstrap) {
+          HTMLTemplateElement.bootstrap();
+        }
       }
 
       test('dom-bind', function() {
@@ -128,11 +132,13 @@ subject to an additional IP rights grant found at http://polymer.github.io/PATEN
 
       test('dom-module never used', function() {
         var el = document.createElement('trusted-element');
+        document.getElementById('target').appendChild(el);
         assert.notOk(el.shadowRoot);
       });
 
       test('dom-module never used (legacy)', function() {
         var el = document.createElement('trusted-element-legacy');
+        document.getElementById('target').appendChild(el);
         assert.notOk(el.shadowRoot);
       });