Should the default policy be invoked when trusted types are not required?

[mbrodesser-Igalia]

https://w3c.github.io/trusted-types/dist/spec/#get-trusted-type-compliant-string-algorithm step 3 returns if no trusted types are required.

That section is normative. The non-normative section about the default policy (https://w3c.github.io/trusted-types/dist/spec/#default-policy-hdr) doesn't mention that aspect.

It seems more intuitive to invoke the default policy.

[mbrodesser-Igalia]

Chrome implements the normative behavior (e.g. https://jsfiddle.net/014ze36t/2/).

[koto]

This is intentional. The default policy only works if there's a require-trusted-types-for directive. This is such that all trusted types related enforcement is controlled through the directive.

[mbrodesser-Igalia]

@mozfreddyb : what's Mozilla's position towards this?

CC @evilpie

[mozfreddyb]

We agree with @koto. The default policy should be invoked only if there's a TT directive in CSP and not without a CSP directive.