trusted-types "Get Trusted Type compliant string" is called with "script" instead of "'script'"

"Get Trusted Type compliant string" is called with "script" instead of "'script'"

Open mbrodesser-Igalia opened this issue 6 months ago • 1 comments

E.g. from https://html.spec.whatwg.org/#the-insertadjacenthtml()-method.

"Get Trusted Type compliant string" [1] invokes "Should sink type mismatch violation be blocked by Content Security Policy?" [2]. The latter checks for a match of the sinkGroup in step 2.3, which refers to [3] which contains "'sink'".

[1] https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm [2] https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-should-sink-type-mismatch-violation-be-blocked-by-content-security-policy [3] https://w3c.github.io/trusted-types/dist/spec/#trusted-types-sink-group

Aug 22 '24 07:08 mbrodesser-Igalia

trusted-types trusted-types copied to clipboard

"Get Trusted Type compliant string" is called with "script" instead of "'script'"

trusted-types
trusted-types copied to clipboard