search

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.
https://w3c.github.io/trusted-types/dist/spec/
Other
600 stars 70 forks source link

Add WPTs for CSP `sandbox allow-scripts` combined with Trusted Types #513

Open mbrodesser-Igalia opened 4 months ago

mbrodesser-Igalia commented 4 months ago

https://w3c.github.io/webappsec-csp/#directive-sandbox

The sandbox directive is ignored when delivered via a <meta> tag.

annevk commented 4 months ago

Are you asking if they are required because it's hard to use an HTTP header (shouldn't be)?

mbrodesser-Igalia commented 4 months ago

Are you asking if they are required because it's hard to use an HTTP header (shouldn't be)?

Not because of that. Because I wasn't sure it's a relevant scenario for trusted-types. But since it's a possible scenario, there should be tests.