secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

Trusted types: Use single-quoted `'script'`.

Open lgarron opened this issue 3 years ago • 0 comments

Unlike e.g. require-sri-for (which our previous implementation for), the require-trusted-types-for directive uses:

  • Single-quoted 'script' and 'none' sources (in addition to 'allow-duplicates').
  • Unquoted policies in addition to those.

See:

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for
  • https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-csp-directive

Right now we are flexible about both quoted and unquoted sources, but this PR starts by using the values used for the directive per spec / browser implementations.

All PRs:

  • [x] Has tests
  • [ ] Documentation updated

lgarron avatar Aug 10 '22 02:08 lgarron