Add support for trusted-types and require-trusted-types #4
Comments
|
FYI @zaproxy is now using this library 😀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
It would be nice to have handling for: the
trusted-typestrusted-typesandrequire-trusted-types-forThis advice was provided pre-fork:
The process will be basically
ValueValue kinds for new directive values which are more complex than just a boolean. At a glance, you probably want a special Value kind fortt-policy-name, but the others look like they can be handled as booleans on the directive.DirectivesDirective kind for both new directives (trusted-typestrusted-types) and (require-trusted-types-forvaluesfield up to date (by using theaddValueandremoveValueIgnoringCasehelpers, mainly)ValueValue kinds for new directive values which are more complex than just a boolean. At a glance, you probably want a special Value kind fortt-policy-name, but the others look like they can be handled as booleans on the directive.DirectivesDirective kind for both new directives ("trusted-types" and ("require-trusted-types-for")valuesfield up to date (by using theaddValueandremoveValueIgnoringCasehelpers, mainly)"Should Trusted Type policy creation be blocked by Content Security Policy?"Should Trusted Type policy creation be blocked by Content Security Policy?, though these aren't so important.update the parser to handle themThe main challenges in my experience is figuring out what the spec is trying to say and whether that's actually what browsers do. For example, it says the syntax is defined by an ABNF, which means keywords are case-insensitive ("ABNF strings are case insensitive"). So per spec,
'ALLow-DUPlicATES'is a legal way to write'allow-duplicates'. Is that actually intentional? Is that what browsers do? Gotta check. Similarly, are policy names case-sensitive or not? That affects the representation and especially the manipulation of those Values.The text was updated successfully, but these errors were encountered: