Frédéric Wang

@Josh-Cena right, I'm not really aware of other use cases.

See also https://github.com/w3c/webappsec-csp/pull/363 for the general issue. Mirko commented about `trusted-types` too in https://github.com/w3c/webappsec-csp/pull/363#issuecomment-2160193577

So another case considered invalid by tests is "'script''script'" (missing required-ascii-whitespace). But it seems Chromium and WebKit are forgiving for that case too and after my changes at https://phabricator.services.mozilla.com/D243259 I...

Another inconsistency: the CSP spec relies on the "report-sample" script-src to determine whether or not to clip violation's sample, but the Trusted Type spec do that unconditionally.

@smaug---- @annevk @otherdaniel I wonder what you think about this? If that's ok, I guess I can send a spec PR.

We have a couple of instances of "instance of": ``` grep 'instance of' spec/index.bs :: Returns true if value is an instance of {{TrustedHTML}} and has an associated [=TrustedHTML/data=] value...

cc @otherdaniel @koto I'm trying to write more WPT tests at https://bugzilla.mozilla.org/show_bug.cgi?id=1958311 for pre-navigation check, as current set is limited. This is still WIP but I noticed a couple of...

What's the status of this? I tried adding some tests for invalid CSP names there https://github.com/web-platform-tests/wpt/pull/50872/files#diff-675a0a46e4fbc7fce1b72d1f48cdf824e55fa0a123f8105df01b3c53f3946161 but probably it's not possible until we clarify this.

The tests I added for invalid/valid policy names were for use in the CSP trusted-types directive. We still need to check valid/invalid policy names passed to (I can't really find...

I opened a PR with a tentative test and none of the browsers are rejecting policy names that are not CSP tt-policy-name: https://github.com/web-platform-tests/wpt/pull/51718