trusted-types icon indicating copy to clipboard operation
trusted-types copied to clipboard

Published 20 hours ago verified publisher icon w3c

Clipping of violation’s sample to the 40 first characters

Open fred-wang opened this issue 9 months ago • 2 comments
trafficstars

See https://github.com/w3c/webappsec-csp/issues/704

The Trusted Types spec also mentions clipping to 40 first characters, and this can have similar ambiguity and implementation issues:

https://w3c.github.io/trusted-types/dist/spec/#should-block-sink-type-mismatch https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy (and in https://w3c.github.io/trusted-types/dist/spec/#privacy-considerations)

fred-wang avatar Jan 23 '25 11:01 fred-wang

Another inconsistency: the CSP spec relies on the "report-sample" script-src to determine whether or not to clip violation's sample, but the Trusted Type spec do that unconditionally.

fred-wang avatar Mar 19 '25 08:03 fred-wang

That latter bit is intentional from discussions we've had before.

lukewarlow avatar Mar 19 '25 11:03 lukewarlow