trusted-types icon indicating copy to clipboard operation
trusted-types copied to clipboard

Published 20 hours ago verified publisher icon w3c

Should the default policy be invoked when trusted types are not required?

Open mbrodesser-Igalia opened this issue 1 year ago • 4 comments

https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 3 returns if no trusted types are required.

That section is normative. The non-normative section about the default policy (https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr) doesn't mention that aspect.

It seems more intuitive to invoke the default policy.

mbrodesser-Igalia avatar Jul 15 '24 09:07 mbrodesser-Igalia

Chrome implements the normative behavior (e.g. https://jsfiddle.net/014ze36t/2/).

ghost avatar Jul 15 '24 09:07 ghost

This is intentional. The default policy only works if there's a require-trusted-types-for directive. This is such that all trusted types related enforcement is controlled through the directive.

koto avatar Jul 15 '24 09:07 koto

@mozfreddyb : what's Mozilla's position towards this?

CC @evilpie

ghost avatar Jul 15 '24 09:07 ghost

We agree with @koto. The default policy should be invoked only if there's a TT directive in CSP and not without a CSP directive.

mozfreddyb avatar Sep 04 '24 12:09 mozfreddyb