CSP:EE spec defines Effective Directive Value as a static list of supported CSP directives. CSP:EE was written before Trusted Types and thus the list does not include CSP directives trusted-types and require-trusted-types-for defined in Trusted Types spec.
This means CSP:EE can't be used for validating Trusted Types enforcement within embedded content. We probably need a change in the specification and then follow-up changes in the implementation (ref chromium).
We have a scenario where we would like to use CSP:EE to permit embedding of web app via iframe if and only if it enforces Trusted Types. This is intended as a defense in depth mechanism for first party web apps that are already supposed to enforce Trusted Types. It would be good if CSP:EE could actually validate this assumption.
This was also discussed in Chromium bug 1446253
CSP:EE spec defines Effective Directive Value as a static list of supported CSP directives. CSP:EE was written before Trusted Types and thus the list does not include CSP directives
trusted-typesandrequire-trusted-types-fordefined in Trusted Types spec.This means CSP:EE can't be used for validating Trusted Types enforcement within embedded content. We probably need a change in the specification and then follow-up changes in the implementation (ref chromium).
We have a scenario where we would like to use CSP:EE to permit embedding of web app via iframe if and only if it enforces Trusted Types. This is intended as a defense in depth mechanism for first party web apps that are already supposed to enforce Trusted Types. It would be good if CSP:EE could actually validate this assumption.
This was also discussed in Chromium bug 1446253