-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive #466
Comments
Adding a keyword |
This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk? |
There are use-cases where policy-names are irrelevant. E.g. when allowing all policies via the wildcard |
I would like to understand if people really do this... Who might have some experience with how common/good an idea (or even just 'why') people would do an unnamed policy? @koto ? |
Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with @otherdaniel, can we add a use counter for unnamed policies? |
Done. (TrustedTypesCreatePolicyWithEmptyName; not sure yet which release it'll appear in.) |
E.g. https://jsfiddle.net/q5kmL492/ is possible.
https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive requires the policy-name to consist of at least one character.
That might be annoying when one writes multiple policies named
""
and wants to limit trusted-types to those policies later.The text was updated successfully, but these errors were encountered: