Mirko Brodesser

> Consider the following scenario: > > ``` > setTimeout(null, 1); > ``` > > In a TT environment this would require `null` to be TrustedScript value. Say we define...

> Returning null or undefined (vs '') from default policy functions triggers a CSP violation, Why? Be aware that for values `null` and `undefined`, the default policy might return `'null'`...

> > > Returning null or undefined (vs '') from default policy functions triggers a CSP violation, > > > > > > Why? > > #414 has some context,...

> Wouldn't the no-op version of TrustedTypes be: > > ```js > const noOpTtPolicy = trustedTypes.createPolicy("noOp", { > createHTML: (htmlString) => { > return htmlString; > }, > createScriptURL: (scriptUrlString)...

@shhnjk: given your experience of deploying TT (https://github.com/w3c/trusted-types/issues/398#issuecomment-1910771081), what's your take on the necessity for a no-op mode?

> > This allows shipping v1 without guarding all injection sinks. Covering the remaining sinks (#385) could be done in v2. > > I'm not sure I follow. Do you...

> Does this issue need to remain open? No. > Idk if there's anything actionable from it? No.

E.g. https://jsfiddle.net/6hj2xra7/

https://w3c.github.io/trusted-types/dist/spec/#trusted-types mentions it's intended, so the test needs to be adapted.

Some injection sinks are covered implicitly by one change of the spec. E.g. `eval()` and `Function()` are covered by https://w3c.github.io/trusted-types/dist/spec/#csp-eval.