Krzysztof Kotowicz
Krzysztof Kotowicz
It's only testing the mechanics of the DOM integration. We have to pick a realm to run the TT checks against, and this is a way to test that we're...
/cc @mikewest , Do you have an opinion here? Essentially, it all boils down to whether `trusted-types` directive (and a JS code conforming to it) should be able to bypass...
Pingy ping @mikewest
@otherdaniel do you remember how the parser sets the slot value? What algorithm is it a part of?
@otherdaniel can we measure when the default policy for TrustedScripts changes the value? If not used, I think we could write is such that a value that is different from...
I think it makes sense.
Coercing to a string was intentional, though the main case was to prevent passing objects to policy functions, as they then could enable several bypasses (e.g. objects that stringify to...
> > Returning null or undefined (vs '') from default policy functions triggers a CSP violation, > > Why? https://github.com/w3c/trusted-types/issues/414 has some context, but indeed: - If the default policy...
We discussed this in the past, and [concluded](https://github.com/w3c/trusted-types/issues/347#issuecomment-892874167) that `fromLiteral` should be always allowed. There's no interpolation, and template literals can only be created from syntax, so no dynamic user-controlled...