mbrodesser-Igalia
commented
6 months ago Adding a keyword 'allow-unnamed' would fix this.
Open mbrodesser-Igalia opened 6 months ago
mbrodesser-Igalia
commented
6 months ago Adding a keyword 'allow-unnamed' would fix this.
lukewarlow
commented
6 months ago This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?
mbrodesser-Igalia
commented
6 months ago This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?
There are use-cases where policy-names are irrelevant. E.g. when allowing all policies via the wildcard trusted-types * (https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive).
bkardell
commented
6 months ago I would like to understand if people really do this... Who might have some experience with how common/good an idea (or even just 'why') people would do an unnamed policy? @koto ?
koto
commented
6 months ago Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with trusted-types directive).
@otherdaniel, can we add a use counter for unnamed policies?
otherdaniel
commented
6 months ago Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with
trusted-typesdirective).@otherdaniel, can we add a use counter for unnamed policies?
Done. (TrustedTypesCreatePolicyWithEmptyName; not sure yet which release it'll appear in.)
E.g. https://jsfiddle.net/q5kmL492/ is possible.
https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive requires the policy-name to consist of at least one character.
That might be annoying when one writes multiple policies named
""and wants to limit trusted-types to those policies later.