`createPolicy`'s permitted policy names are inconsistent with CSP's permitted policy names

[mbrodesser-Igalia]

https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy has no restrictions on the policy name, https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive has.

E.g. trustedTypes.createPolicy("$") is supported and trusted-types $ not.

https://github.com/w3c/trusted-types/issues/466 is a special case of this.

[mbrodesser-Igalia]

In today's meeting with @koto, @lukewarlow and some Mozillians it was agreed to adapt https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy to match the policy names permitted by https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive.

@otherdaniel: could you please add a use counter for the now undesired policy names of createPolicy?

[annevk]

There are meetings outside the purview of WebAppSec? Shouldn't those be announced at least? Or if they are completely private I don't think they can be used to make decisions and probably shouldn't be discussed here.

Please see https://www.w3.org/2023/Process-20231103/#GeneralMeetings.

cc @mikewest @dveditz

[lukewarlow]

Shouldn't those be announced at least?

The meeting in question is an Igalia project update meeting so is "private" in that sense. it just also happens to have lots of people involved in the spec and implementation so is useful to get people's thoughts on issues that we come across with the spec. I'm unaware of anything that we've discussed there that hasn't otherwise been raised as an issue previously.

I think to reword it "it was agreed that it seemed a reasonable idea" and it's good to get use counters in early if we do end up making this sort of change.

[mbrodesser-Igalia]

There are meetings outside the purview of WebAppSec? Shouldn't those be announced at least? Or if they are completely private I don't think they can be used to make decisions and probably shouldn't be discussed here.

Please see https://www.w3.org/2023/Process-20231103/#GeneralMeetings.

cc @mikewest @dveditz

@annevk: thanks for bringing this up. The agreement above was just a collective suggestion, so please feel free to object to it. It's not a decision. I understand one has to be careful here.

[mikewest]

This might be a good indication that a broader update on Trusted Types might be helpful for the WebAppSec community more broadly. Would y'all be interested in talking about it in the meeting on May 15th?