Open mbrodesser-Igalia opened 2 months ago
Chrome implements the normative behavior (e.g. https://jsfiddle.net/014ze36t/2/).
This is intentional. The default policy only works if there's a require-trusted-types-for
directive. This is such that all trusted types related enforcement is controlled through the directive.
@mozfreddyb : what's Mozilla's position towards this?
CC @evilpie
We agree with @koto. The default policy should be invoked only if there's a TT directive in CSP and not without a CSP directive.
https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 3 returns if no trusted types are required.
That section is normative. The non-normative section about the default policy (https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr) doesn't mention that aspect.
It seems more intuitive to invoke the default policy.