You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
mbrodesser-Igalia
changed the title
Why are cross-document vectors only partially adresseable with CSP propagation rules?
Adressing cross-document vectors comprehensively relies on "origin-policy" which is a proposal which is on hold
Jan 25, 2024
I don't think there are, at least in Web APIs? For TT (or, more generally, CSP) it's a known limitation. Controls are per-document or realm, whereas XSS affects the whole origin.
https://w3c.github.io/trusted-types/dist/spec/#cross-document-vectors mentions that.
Examples of instances not addressable appreciated.
The text was updated successfully, but these errors were encountered: