Open mbrodesser-Igalia opened 4 months ago
Are you asking if they are required because it's hard to use an HTTP header (shouldn't be)?
Are you asking if they are required because it's hard to use an HTTP header (shouldn't be)?
Not because of that. Because I wasn't sure it's a relevant scenario for trusted-types. But since it's a possible scenario, there should be tests.
https://w3c.github.io/webappsec-csp/#directive-sandbox
The
sandbox
directive is ignored when delivered via a<meta>
tag.