AdaptiveCards icon indicating copy to clipboard operation
AdaptiveCards copied to clipboard
verified publisher icon microsoft

[trusted-type] Delay the ttPolicy creation until customer really use it.

Open licanhua opened this issue 3 years ago • 0 comments

This is a follow up on https://github.com/microsoft/AdaptiveCards/pull/7910#discussion_r975208157

This directive Content-Security-Policy/trusted-types controls what TT policies are allowed in the client.

If the app now consumes new version of AC SDK without changing this directive, all calls to window.trustedTypes.createPolicy will respect trusted-types directive and fail if the policy name is not allowed.

In our code, we are creating TT policies during package load. This means package will trigger CSP violation and fail to load if TT policy is not allowed. It would be better (in my opinion) to create policy when we first use it.

Possible solution:

let ttDeprecatedPolicy = undefined | null | PolicyType

function GetPolicy()
{
    if (ttDeprecatedPolicy === undefined) {
       ttDeprecatedPolicy  = null;
       if (typeof window == ....
   } 
}

licanhua avatar Sep 22 '22 17:09 licanhua