Daniel Vogelheim

> I meant a real PR on wpt, not one that's owned by the Chromium CI bot and where the status is controlled by what happens in Chromium's code review....

I don't have specific numbers on 'no-cors' usage, unfortunately. Generally, ORB is surely a compatibilty risk, and we've had to rollback our initial attempts due to site breakage. (E.g. [crbug.com/1359788](https://crbug.com/1359788))...

> Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with `trusted-types` directive). > > @otherdaniel, can we...

> @otherdaniel do you remember how the parser sets the slot value? What algorithm is it a part of? I'm not sure. If I remember correctly, I initially followed the...

Yes, looks good!

Alternatively, one could give up the notion of "strongest" in favour of the order (or another explicit criteria), to let the page author express their intent.

I like the given example. I imagine it could be quite realistic, e.g. with a development and a release version, which - for some types of setups - differ in...

> Are signatures intended to strengthen hash-based checks (by allowing the signing key to live offline, for example, which would need to be mentioned in the explainer), or are they...

Naaah, disagree. The thing is, the signatures and the hashes would be in different places, where they fulfill different roles, and have different impact on deployability. Strawman: 1. Website owner...

To cycle this back to the original issues: Signatures - being a relaxation vs hashes - would potentially allow an attacker to substitute a resource that was validly signed in...