From 9ef9a2aa59808ac2aa19323e943d634d55d48d85 Mon Sep 17 00:00:00 2001
From: Krzysztof Kotowicz <koto@google.com>
Date: Thu, 31 Oct 2024 13:09:25 +0100
Subject: [PATCH] Disallow empty policy names on creation.

Fixes https://github.com/w3c/trusted-types/issues/466.
---
 spec/index.bs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/spec/index.bs b/spec/index.bs
index 3d453f0..59c5409 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -954,6 +954,7 @@ To create a {{TrustedTypePolicy}}, given a {{TrustedTypePolicyFactory}} (|factor
 a string (|policyName|), {{TrustedTypePolicyOptions}} dictionary (|options|), and a
 [=realm/global object=] (|global|) run these steps:
 
+1.  If |policyName| is the empty string, throw a TypeError and abort further steps.
 1.  Let |allowedByCSP| be the result of executing [$Should Trusted Type policy
     creation be blocked by Content Security Policy?$] algorithm with |global|,
     |policyName| and |factory|'s [=created policy names=] value.