Add use case for safely transitioning websites to not use any DOM XSS injection sinks

[mbrodesser-Igalia]

As mentioned at
mozilla/standards-positions#20 (comment).

[koto]

That seems already captured by the existing goals, no? What is mentioned here is just one of technical means to "minimize the likelihood of client-side vulnerabilities", and "reduce security review surface".

[mbrodesser-Igalia]

Yes. The technical means and its more explicit, since it mentions transitioning existing websites.
TBH this might be obvious to someone very familiar with the API and the topic, for others not.

Feel free to disagree though and reject this change.

[mbrodesser-Igalia]

"Enable iteratively transitioning" would be even clearer from my point of view.

The only other sections where that information seems correctly placed is the introduction or the use cases section.

Identifying that real-world use case took, at least me, some time.

[mbrodesser-Igalia]

WDYT about changing: "Allow the detection of vulnerabilities" to "Allow the usability-preserving detection of". And adding a use case like

'A website uses DOM XSS injection sinks. The website-developer adds trusted types to it and monitors violations by using the Content-Security-Policy-Report-Only header field. Violations are iteratively fixed by refactoring the code to use only save methods. Afterwards, no DOM XSS injection sinks are called anymore. Hence, no trusted types are required anymore. The developer switches the report-only mode off and disables trusted type policies with the require-trusted-types-for directive. The website's functionality was never impaired during the refactorings.'

[koto]

I like that. The only change I'd suggest would be "save" -> "safe".

[mbrodesser-Igalia]

Added a patch for it with that fixed and disabling trusted types policies slightly more explained.