Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

createPolicy's permitted policy names are inconsistent with CSP's permitted policy names #504

Open
mbrodesser-Igalia opened this issue Apr 17, 2024 · 6 comments
Open

createPolicy's permitted policy names are inconsistent with CSP's permitted policy names #504

mbrodesser-Igalia opened this issue Apr 17, 2024 · 6 comments
Labels
spec
Milestone
v1

Comments

@mbrodesser-Igalia
Copy link
Collaborator

https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy has no restrictions on the policy name,
https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive has.

E.g. trustedTypes.createPolicy("$") is supported and trusted-types $ not.

#466 is a special case of this.
@mbrodesser-Igalia mbrodesser-Igalia added this to the v1 milestone Apr 18, 2024
@mbrodesser-Igalia
Copy link
Collaborator Author

In today's meeting with @koto, @lukewarlow and some Mozillians it was agreed to adapt https://w3c.github.io/trusted-types/dist/spec/#dom-trustedtypepolicyfactory-createpolicy to match the policy names permitted by https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive.

@otherdaniel: could you please add a use counter for the now undesired policy names of createPolicy?

@annevk
Copy link
Member

annevk commented Apr 18, 2024

There are meetings outside the purview of WebAppSec? Shouldn't those be announced at least? Or if they are completely private I don't think they can be used to make decisions and probably shouldn't be discussed here.

Please see https://www.w3.org/2023/Process-20231103/#GeneralMeetings.

cc @mikewest @dveditz

@lukewarlow
Copy link
Member

Shouldn't those be announced at least?

The meeting in question is an Igalia project update meeting so is "private" in that sense. it just also happens to have lots of people involved in the spec and implementation so is useful to get people's thoughts on issues that we come across with the spec. I'm unaware of anything that we've discussed there that hasn't otherwise been raised as an issue previously.

I think to reword it "it was agreed that it seemed a reasonable idea" and it's good to get use counters in early if we do end up making this sort of change.

@mbrodesser-Igalia
Copy link
Collaborator Author

There are meetings outside the purview of WebAppSec? Shouldn't those be announced at least? Or if they are completely private I don't think they can be used to make decisions and probably shouldn't be discussed here.

Please see https://www.w3.org/2023/Process-20231103/#GeneralMeetings.

cc @mikewest @dveditz

@annevk: thanks for bringing this up. The agreement above was just a collective suggestion, so please feel free to object to it. It's not a decision. I understand one has to be careful here.

@mikewest
Copy link
Member

This might be a good indication that a broader update on Trusted Types might be helpful for the WebAppSec community more broadly. Would y'all be interested in talking about it in the meeting on May 15th?

@mikewest mikewest mentioned this issue Apr 26, 2024
Closed
@koto koto added the spec label May 6, 2024
@koto
Copy link
Member

koto commented Oct 31, 2024

Getting back to the technical issue. I suspect that unlike as in #466 there will be back compat issues, but we need a use counter first to have more information. @otherdaniel, can you add one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
spec
Projects
None yet
Milestone
v1
Development

No branches or pull requests
5 participants
@mikewest @koto @annevk @lukewarlow @mbrodesser-Igalia