Should the default policy be invoked when trusted types are not required?

w3c / trusted-types

A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.

https://w3c.github.io/trusted-types/dist/spec/

Other

600 stars 70 forks source link

Should the default policy be invoked when trusted types are not required? #536

Open mbrodesser-Igalia opened 2 months ago

mbrodesser-Igalia commented 2 months ago

https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 3 returns if no trusted types are required.

That section is normative. The non-normative section about the default policy (https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr) doesn't mention that aspect.

It seems more intuitive to invoke the default policy.

mbrodesser-Igalia commented 2 months ago

Chrome implements the normative behavior (e.g. https://jsfiddle.net/014ze36t/2/).

koto commented 2 months ago

This is intentional. The default policy only works if there's a require-trusted-types-for directive. This is such that all trusted types related enforcement is controlled through the directive.

mbrodesser-Igalia commented 2 months ago

@mozfreddyb : what's Mozilla's position towards this?

CC @evilpie

mozfreddyb commented 3 weeks ago

We agree with @koto. The default policy should be invoked only if there's a TT directive in CSP and not without a CSP directive.