Luke Warlow

Related issue: https://github.com/w3c/trusted-types/issues/252

Closing this as the parser now at least sets the "script text" value and the null vs empty string issue has been resolved. #525 covers discrepencies between implementation and spec.

The exact specifics of what this could look like are up for discussion, I can see us calling the default policy and just make sure the return value is the...

Yeah so a use counter for when the policy is invoked for eval or function and the return value is a string and that string is different from the string...

> Is the intention to remove calling the default policy for eval and some other injection sinks, but not all other injection sinks? From a web-dev's perspective that seems inconsistent....

@otherdaniel when you're able to add those use counters could you leave a comment here just to keep the context all in one place.

I think our best course of action is to assume we can make this change, and update the tc39 spec and this one accordingly. The tc39 change is more likely...

https://github.com/w3c/trusted-types/pull/465 is the relevant change to this spec and the tc39 proposal change is linked in it (already approved by nico)

@koto @otherdaniel based on the discussions above would you be okay with https://github.com/tc39/proposal-dynamic-code-brand-checks/pull/12 being merged and us progressing the tc39 proposal on the assumption the use counters come back okay?...

@otherdaniel were you able to add the use counter for this yet?