-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WPT for CSP header trusted-types 'none' 'none'
missing
#508
Comments
I'm not sure if it's valid to set the |
@ziransun see https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-should-trusted-type-policy-creation-be-blocked-by-content-security-policy. It states: "If directive’s value only contains a tt-keyword which is a match for a value 'none', set createViolation to true.". Here, the value contains only that keyword (multiple times). |
Have you tested Chromiums or safari tech preview's behaviour here? The spec is ambiguous imo. It says the value only contains a keyword 'none'. Well two duplicate keywords aren't 'a keyword'. I think it depends on if there's any handling for discarding duplicates inside of CSP parsing? I think it should behave the same as just 1 existing but the spec should be clarified too in that case. |
Yes, I have tried with Chromiums and safari. Apart from having the same result as one "none", it has complains like - |
Agreed. |
So after some more thinking I want to clarify the above comment.
The first triggers step 2.4 and the second will fall through to step 2.6 both creating a violation.
Neither of these would trigger step 2.4 or 2.6 and so no violation would be created. I actually don't think the spec is ambiguous here. |
Behavior should equal the one for
trusted-types 'none'
.The text was updated successfully, but these errors were encountered: