Skip to content

Disallow empty policy names on creation. #560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Disallow empty policy names on creation. #560

wants to merge 1 commit into from

Conversation

koto
Copy link
Member

@koto koto commented Oct 31, 2024
edited by pr-preview bot
Loading

Fixes #466.

Preview | Diff

@koto koto mentioned this pull request Oct 31, 2024
Open
mbrodesser-Igalia
mbrodesser-Igalia requested changes Nov 12, 2024
View reviewed changes
spec/index.bs
@@ -954,6 +954,7 @@ To create a {{TrustedTypePolicy}}, given a {{TrustedTypePolicyFactory}} (|factor
a string (|policyName|), {{TrustedTypePolicyOptions}} dictionary (|options|), and a
[=realm/global object=] (|global|) run these steps:

1. If |policyName| is the empty string, throw a TypeError and abort further steps.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please link to the more general spec issue with a note like:

<p class=note> Disallowing the empty string since CSP directives can't refer to that. A limited set of other directives can't be referred to either; those, web-developers will have to rename if they need to be referenced; see https://github.com/w3c/trusted-types/issues/504#issue-2247635542.</p>

lukewarlow
lukewarlow approved these changes Mar 28, 2025
View reviewed changes
Copy link
Member

@lukewarlow lukewarlow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending compat analysis on this (not sure if a use counter was ever added), this seems fine to me.

spec/index.bs
@@ -954,6 +954,7 @@ To create a {{TrustedTypePolicy}}, given a {{TrustedTypePolicyFactory}} (|factor
a string (|policyName|), {{TrustedTypePolicyOptions}} dictionary (|options|), and a
[=realm/global object=] (|global|) run these steps:

1. If |policyName| is the empty string, throw a TypeError and abort further steps.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need to say abort further steps? Throwing automatically does that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbrodesser-Igalia mbrodesser-Igalia mbrodesser-Igalia requested changes

@lukewarlow lukewarlow lukewarlow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@koto @lukewarlow @mbrodesser-Igalia