-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
createPolicy
's permitted policy names are inconsistent with CSP's permitted policy names
#504
Comments
In today's meeting with @koto, @lukewarlow and some Mozillians it was agreed to adapt https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy to match the policy names permitted by https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive. @otherdaniel: could you please add a use counter for the now undesired policy names of |
There are meetings outside the purview of WebAppSec? Shouldn't those be announced at least? Or if they are completely private I don't think they can be used to make decisions and probably shouldn't be discussed here. Please see https://www.w3.org/2023/Process-20231103/#GeneralMeetings. |
The meeting in question is an Igalia project update meeting so is "private" in that sense. it just also happens to have lots of people involved in the spec and implementation so is useful to get people's thoughts on issues that we come across with the spec. I'm unaware of anything that we've discussed there that hasn't otherwise been raised as an issue previously. I think to reword it "it was agreed that it seemed a reasonable idea" and it's good to get use counters in early if we do end up making this sort of change. |
@annevk: thanks for bringing this up. The agreement above was just a collective suggestion, so please feel free to object to it. It's not a decision. I understand one has to be careful here. |
This might be a good indication that a broader update on Trusted Types might be helpful for the WebAppSec community more broadly. Would y'all be interested in talking about it in the meeting on May 15th? |
Getting back to the technical issue. I suspect that unlike as in #466 there will be back compat issues, but we need a use counter first to have more information. @otherdaniel, can you add one? |
https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy has no restrictions on the policy name,
https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive has.
E.g.
trustedTypes.createPolicy("$")
is supported andtrusted-types $
not.#466 is a special case of this.
The text was updated successfully, but these errors were encountered: