CSP syntax for `require-trusted-types-for` should be forgiving

[lukewarlow]

trafficstars

Currently the spec has an unforgiving syntax for require-trusted-types-for if you have an invalid sink group in your list it invalidates the whole directive. This isn't what's actually implemented in Chromium (or WebKit). The spec should instead have the value syntax as a space separated list and we simply discard values we don't recognise, this is how other CSP directives work and is better for forward compatibility.

[lukewarlow]

I'm not sure this is actually an issue in the Trusted Types spec per se. More a CSP issue in general. Because all of them are defined by strict grammars but script-src for example will parse as forgiving in all browsers.

cc @fred-wang

[fred-wang]

See also https://github.com/w3c/webappsec-csp/pull/363 for the general issue.

Mirko commented about trusted-types too in https://github.com/w3c/webappsec-csp/pull/363#issuecomment-2160193577

[fred-wang]

So another case considered invalid by tests is "'script''script'" (missing required-ascii-whitespace). But it seems Chromium and WebKit are forgiving for that case too and after my changes at https://phabricator.services.mozilla.com/D243259 I see the same for Firefox too.

I see other directives parsed similarly like https://w3c.github.io/webappsec-csp/#directive-sandbox so I assume they are accepting a missing whitespace too.

[lukewarlow]

That specific case we should treat as invalid.

Chromium reports it as invalid but then treats it as valid because of a bug in their parser.