lukewarlow
commented
5 months ago https://github.com/w3c/webappsec-csp/pull/659 - the upstreaming PR includes it in the list.
Closed mbrodesser-Igalia closed 5 months ago
lukewarlow
commented
5 months ago https://github.com/w3c/webappsec-csp/pull/659 - the upstreaming PR includes it in the list.
https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy step 9 sets a violation's resource to "trusted-types-policy".
https://w3c.github.io/webappsec-csp/#violation-resource doesn't mention that resource and neither mentions other resources may be used.
A fix could be to specify in the CSP that other specs may add such resources. The CSP spec would need to be checked whether that integrates properly with the remainder of that spec.
CC @evilpie @lukewarlow