You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I expect that most people who would use Trusted Types don't want <base> to be used at all and so it should be easy to implement the equivalent of CSP base-uri 'none' (and maybe base-uri 'self') in a Trusted-Types policy. This makes me think that base URLs shouldn't have the same type as other URLs.
Currently the base URL requires TrustedScriptURL due to it being more powerful than TrustedURL, but it has some unique capabilities which is to change the meaning of other TrustedScriptURL and TrustedURL instances.
The text was updated successfully, but these errors were encountered:
The issue though is mostly about changing the meaning of relative URLs, rather than javascript: prefix in specific. Changing script URLs to point to a different host would be equally bad.
Extracted from #152:
@briansmith:
Currently the base URL requires
TrustedScriptURL
due to it being more powerful thanTrustedURL
, but it has some unique capabilities which is to change the meaning of otherTrustedScriptURL
andTrustedURL
instances.The text was updated successfully, but these errors were encountered: