search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
600 stars 70 forks source link

"Create a Trusted Type Policy" should specify the TypeError messages #511

Closed mbrodesser-Igalia closed 2 months ago

mbrodesser-Igalia commented 5 months ago

https://searchfox.org/mozilla-central/rev/0916ef0172ce5b2a72749b659da8ad95f637ef42/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-nameTests.html#38 requires that.

https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-create-a-trusted-type-policy currently not.

annevk commented 5 months ago

Hmm, I don't think we should be checking the contents of message unless that is somehow required for web compatibility.

mbrodesser-Igalia commented 5 months ago

Agreed, it's an implementation detail.

lukewarlow commented 4 months ago

@otherdaniel can you comment on whether these messages are important for compatability?

I agree that generally these should be left to the browser to decide. Or these should be specced across the board (way out of scope of this work).