Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive

[ghost]

trafficstars

E.g. https://jsfiddle.net/q5kmL492/ is possible.

https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive requires the policy-name to consist of at least one character.

That might be annoying when one writes multiple policies named "" and wants to limit trusted-types to those policies later.

[mbrodesser-Igalia]

Adding a keyword 'allow-unnamed' would fix this.

[lukewarlow]

This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?

[mbrodesser-Igalia]

This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?

There are use-cases where policy-names are irrelevant. E.g. when allowing all policies via the wildcard trusted-types * (https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive).

[bkardell]

I would like to understand if people really do this... Who might have some experience with how common/good an idea (or even just 'why') people would do an unnamed policy? @koto ?

[koto]

Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with trusted-types directive).

@otherdaniel, can we add a use counter for unnamed policies?

[otherdaniel]

Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with trusted-types directive).

@otherdaniel, can we add a use counter for unnamed policies?

Done. (TrustedTypesCreatePolicyWithEmptyName; not sure yet which release it'll appear in.)