Skip to content

Commit

Permalink
Introduced a 'url-allow-http' keyword to the CSP configuration.
Browse files Browse the repository at this point in the history 
If present in trusted-types directive, it will treat all http: and https: URLs like TrustedURLs.
Fixes w3c#65. Such behavior still allows the sites to have a custom, type-only policy for URL sinks (even for policies that allow javascript: URLs
and custom schemes), while allowing a relaxed (but DOM-XSS free) for sites that commonly use regular http(s): URLs in URL sinks.
  • Loading branch information
@koto
koto committed Jun 28, 2018
1 parent ee94f57 commit 22b81d0
Show file tree
Hide file tree
Showing 8 changed files with 158 additions and 48 deletions.
51 changes: 26 additions & 25 deletions dist/es5/trustedtypes.build.js
View file

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions dist/es5/trustedtypes.build.js.map
View file

Large diffs are not rendered by default.

22 changes: 11 additions & 11 deletions dist/es6/trustedtypes.build.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 22b81d0

Please sign in to comment.