Krzysztof Kotowicz

Actually, having looked at it, for Trusted Types in specific, we might need to be able to validate and coerce a given 'eval' argument to a string before e.g. [`PerformEval`](https://tc39.github.io/ecma262/#sec-performeval)...

@mikesamuel, this is now merged into https://github.com/tc39/proposal-dynamic-code-brand-checks, right?

It's basically https://github.com/tc39/proposal-dynamic-code-brand-checks#problem-3-host-callout-does-not-receive-the-code-to-check, isn't it? On Fri, Aug 19, 2022 at 3:45 PM Caridy Patiño ***@***.***> wrote: > @Jack-Works I agreed with you, in fact I > was very surprised...

/cc @otherdaniel @koto @domenic

IDL level is a single place, where the check may be applied effectively via extended attribute (alternatively, multiple places in DOM and HTML would have to be modified separately). Additionally,...

> Sure. The question is why it can't run after IDL argument work but before anything else (just like CEReactions run after everything else on methods that have them). TT...

> I asked why we can't have the semantics of "run before any of the operation steps". That is a possible alternative - in fact this is what we used...

> > The move to IDL type mapping is to avoid having type unions and branching on the types in each operation. > I'm not quite following this, sorry. Can...

> OK, that makes things much clearer. Yes, sorry about not being explicit about that early on. I don't think we have a precedent for such behavior in the web...

> > The CSP check doesn't need to know what method is involved? > > Ah, I guess it just needs to know "the type to convert to". the method...