trusted-types icon indicating copy to clipboard operation
trusted-types copied to clipboard

Published 20 hours ago verified publisher icon w3c

Add WPTs for CSP `sandbox allow-scripts` combined with Trusted Types

Open mbrodesser-Igalia opened this issue 1 year ago • 2 comments

https://w3c.github.io/webappsec-csp/#directive-sandbox

The sandbox directive is ignored when delivered via a <meta> tag.

mbrodesser-Igalia avatar May 09 '24 14:05 mbrodesser-Igalia

Are you asking if they are required because it's hard to use an HTTP header (shouldn't be)?

annevk avatar May 13 '24 11:05 annevk

Are you asking if they are required because it's hard to use an HTTP header (shouldn't be)?

Not because of that. Because I wasn't sure it's a relevant scenario for trusted-types. But since it's a possible scenario, there should be tests.

ghost avatar May 13 '24 14:05 ghost

@mbrodesser-Igalia Can you please elaborate a bit more what you had in mind?

Is the idea just that the sandbox directive disables scripts by default, so we should make sure scripts involving the Trusted Types APIs continues to work if allow-scripts is specified?

It's not clear to me why we want to test Trusted Types specifically, the behavior should be true for any javascript code.

fred-wang avatar Mar 07 '25 13:03 fred-wang

@mbrodesser-Igalia Can you please elaborate a bit more what you had in mind?

Is the idea just that the sandbox directive disables scripts by default, so we should make sure scripts involving the Trusted Types APIs continues to work if allow-scripts is specified?

It's not clear to me why we want to test Trusted Types specifically, the behavior should be true for any javascript code.

I vaguely remember that some sandbox- and trusted-type-code in Gecko for CSP was next to each other and it wasn't obvious to me whether combinations of those flags work correctly: https://searchfox.org/mozilla-central/rev/d5baa11e35e0186c3c867f4948010f0742198467/dom/security/nsCSPParser.cpp#1202-1216.

However, testing such combinations might be overkill.

ghost avatar Mar 10 '25 07:03 ghost

I vaguely remember that some sandbox- and trusted-type-code in Gecko for CSP was next to each other and it wasn't obvious to me whether combinations of those flags work correctly: https://searchfox.org/mozilla-central/rev/d5baa11e35e0186c3c867f4948010f0742198467/dom/security/nsCSPParser.cpp#1202-1216. However, testing such combinations might be overkill.

OK, thanks for clarifying. This does not seem features likely to conflict when used together so I suppose it's probably not the most important test to write. I'm fine if we add tests for this though.

fred-wang avatar Mar 10 '25 14:03 fred-wang