Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive #466

Open
mbrodesser-Igalia opened this issue Mar 5, 2024 · 8 comments · May be fixed by #560
Open

Creating a policy with policyName="" is possible, but can't be referred to by the "trusted-types" CSP directive #466

mbrodesser-Igalia opened this issue Mar 5, 2024 · 8 comments · May be fixed by #560
Milestone
v2

Comments

@mbrodesser-Igalia
Copy link
Collaborator

E.g. https://jsfiddle.net/q5kmL492/ is possible.

https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive requires the policy-name to consist of at least one character.

That might be annoying when one writes multiple policies named "" and wants to limit trusted-types to those policies later.
@mbrodesser-Igalia
Copy link
Collaborator Author

Adding a keyword 'allow-unnamed' would fix this.

@mbrodesser-Igalia mbrodesser-Igalia added this to the v2 milestone Mar 6, 2024
@lukewarlow
Copy link
Member

This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?

@mbrodesser-Igalia
Copy link
Collaborator Author

This feels like it shouldn't be allowed? But if we reject unamed policies that might be a compat risk?

There are use-cases where policy-names are irrelevant. E.g. when allowing all policies via the wildcard trusted-types * (https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive).

@bkardell
Copy link
Collaborator

I would like to understand if people really do this... Who might have some experience with how common/good an idea (or even just 'why') people would do an unnamed policy? @koto ?

@koto
Copy link
Member

koto commented Mar 11, 2024

Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with trusted-types directive).

@otherdaniel, can we add a use counter for unnamed policies?

@otherdaniel
Copy link
Member

Ww always used a policy name, but they are indeed optional (and only relevant if one guards policy creation by name with trusted-types directive).

@otherdaniel, can we add a use counter for unnamed policies?

Done. (TrustedTypesCreatePolicyWithEmptyName; not sure yet which release it'll appear in.)

@mbrodesser-Igalia mbrodesser-Igalia mentioned this issue Apr 17, 2024
Open
@koto
Copy link
Member

koto commented Oct 31, 2024

https://chromestatus.com/metrics/feature/timeline/popularity/4897 shows results in the range of 0.000001 page loads. Just checking with you, @otherdaniel that it's a threshold low enough that we could remove the support for empty policy name?

koto added a commit to koto/trusted-types that referenced this issue Oct 31, 2024
@koto
Disallow empty policy names on creation.
9ef9a2a 
Fixes w3c#466.
@koto koto linked a pull request Oct 31, 2024 that will close this issue
Open
@koto
Copy link
Member

koto commented Oct 31, 2024

Tentatively created #560.

Note that it's still possible to create policies that can not be referred to by CSP, as CSP syntax limits us to https://w3c.github.io/trusted-types/dist/spec/#tt-policy-name. Disallowing creating such policies likely has much bigger backwards compatibility risk though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2
Development

Successfully merging a pull request may close this issue.

Disallow empty policy names on creation. koto/trusted-types
5 participants
@koto @bkardell @otherdaniel @lukewarlow @mbrodesser-Igalia