CSP:EE does not support Trusted Types CSP directives #628
Comments
|
Hi @tosmolka, I'm happy to update the spec, but I'm not sure when we can get to the implementation (due to other backlogs). |
|
@shhnjk , we are in discussions with Edge team about the implementation, not yet sure about the timelines. I'll reach out once I know more. Do you guys have any updates about the spec? Thanks. |
|
The spec change is up at w3c/webappsec-cspee#29 now :) Let's see how it goes. |
|
@shhnjk , any update regarding the change in spec? Edge team is still reviewing the changes needed in the implementation, not yet sure about the timelines on our side. Thanks. |
|
Hello @shhnjk , resurrecting this older discussion, I also commented in the webappsec-cspee PR. Any updates about this issue? Thanks. |
CSP:EE spec defines Effective Directive Value as a static list of supported CSP directives. CSP:EE was written before Trusted Types and thus the list does not include CSP directives
trusted-typesandrequire-trusted-types-fordefined in Trusted Types spec.This means CSP:EE can't be used for validating Trusted Types enforcement within embedded content. We probably need a change in the specification and then follow-up changes in the implementation (ref chromium).
We have a scenario where we would like to use CSP:EE to permit embedding of web app via iframe if and only if it enforces Trusted Types. This is intended as a defense in depth mechanism for first party web apps that are already supposed to enforce Trusted Types. It would be good if CSP:EE could actually validate this assumption.
This was also discussed in Chromium bug 1446253
The text was updated successfully, but these errors were encountered: