Mirko Brodesser

An additional test for https://github.com/web-platform-tests/wpt/pull/44323#pullrequestreview-1994155470 is required.

Reopening to address https://github.com/w3c/trusted-types/issues/425#issuecomment-2056452603.

> @mbrodesser-Igalia do you think you'd be able to give this a review? If this could wait until I actually start implementing it in Gecko, that might be most effective.

> > @mbrodesser-Igalia do you think you'd be able to give this a review? > > If this could wait until I actually start implementing it in Gecko, that might...

> Apologies if I'm missing something but I believe that the spec as currently written blocks any inline script elements from executing. > > https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts > > A new [[ScriptText]]...

> I also don't think the slot can be initially null either. > > `data:text/html,const s = document.createElement('script'); container.appendChild(s); > Else something like this would trigger a trusted types violation...

> > Per which part of the spec would that trigger a TT violation? > > When it's running prepare script text it will compare the inner slot value to...

> > > Per which part of the spec would that trigger a TT violation? > > > > > > When it's running prepare script text it will compare...

> Following on from discussions recently with @caridy it's possible we could avoid the default policy fallback for eval (and Function() etc). Is the intention to remove calling the default...

> > Is the intention to remove calling the default policy for eval and some other injection sinks, but not all other injection sinks? From a web-dev's perspective that seems...