Open mbrodesser-Igalia opened 6 months ago
Adding a keyword 'allow-unnamed'
would fix this.
This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?
This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?
There are use-cases where policy-names are irrelevant. E.g. when allowing all policies via the wildcard trusted-types *
(https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive).
I would like to understand if people really do this... Who might have some experience with how common/good an idea (or even just 'why') people would do an unnamed policy? @koto ?
Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with trusted-types
directive).
@otherdaniel, can we add a use counter for unnamed policies?
Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with
trusted-types
directive).@otherdaniel, can we add a use counter for unnamed policies?
Done. (TrustedTypesCreatePolicyWithEmptyName; not sure yet which release it'll appear in.)
E.g. https://jsfiddle.net/q5kmL492/ is possible.
https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive requires the policy-name to consist of at least one character.
That might be annoying when one writes multiple policies named
""
and wants to limit trusted-types to those policies later.