Krzysztof Kotowicz

Yes. Now let's bikeshed about the flag name :)

That sounds good, thanks for that! Alternatively `trustedTypes.isRequiredFor('script')`, not to pollute the namespace in the future? I also think it should return `true` if at least one of the CSPs...

> > Enabling report-only mode should be a no-op, adding this feature means that now enabling report-only mode can break you application. > > Ah, I see. > > So,...

Having discussed this, I feel that if we want to expose the API, we probably want to do this at the CSP level (our chosen delivery mechanism), rather then solving...

The Blink/V8 implementation already has the behavior above. The ECMAScript bits are progressing through TC39.

Note: change the spec text once https://github.com/tc39/proposal-dynamic-code-brand-checks stabilizes. It will likely require adding a slot to `TrustedScript` and adjusting for the new host callout signature - in CSP ( https://w3c.github.io/webappsec-trusted-types/dist/spec/#csp-eval)...

/cc @xtofian @bakkot @Siegrift @otherdaniel @Sora2455 from previous bugs about this.

First comment has a rough sketch of the proposal. Does it look OK on your end? We wanted to start speccing it.

Prehaps `` should require `TrustedScriptURL`? I filed https://bugs.chromium.org/p/chromium/issues/detail?id=1300195 for Chromium.

This vector using regular `href` attribute also works: ```javascript let attackerControlledString = "data:image/svg+xml,#x"; const svg=document.createElementNS("http://www.w3.org/2000/svg", "svg"); const use=document.createElementNS("http://www.w3.org/2000/svg", "use"); use.setAttribute('href', attackerControlledString); svg.appendChild(use); document.body.appendChild(svg); ``` To make sure I understand the...