From 2adae0db1456a4c7990aab7ee833b794fceea4a9 Mon Sep 17 00:00:00 2001
From: Luke Warlow <lwarlow@igalia.com>
Date: Tue, 28 May 2024 14:36:54 +0100
Subject: [PATCH] Add an |includeReportOnly| boolean argument to Does sink type
 require trusted types?

---
 spec/index.bs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/spec/index.bs b/spec/index.bs
index 32ca41e..aa42175 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -1018,7 +1018,7 @@ Given a {{TrustedType}} type (|expectedType|), a [=realm/global object=] (|globa
 1.  If |input| has type |expectedType|, return stringified
     |input| and abort these steps.
 1.  Let |requireTrustedTypes| be the result of executing [$Does sink type require trusted types?$] algorithm,
-    passing |global|, and |sinkGroup|.
+    passing |global|, |sinkGroup|, and true.
 1.  If |requireTrustedTypes| is `false`, return stringified |input| and abort these steps.
 1.  Let |convertedInput| be the result of executing [$Process value with a default policy$] with the same arguments as this algorithm.
 1.  If the algorithm threw an error, rethrow the error and abort the following steps.
@@ -1411,11 +1411,10 @@ Content-Security-Policy: trusted-types one two default
 
 ### <dfn abstract-op>Does sink type require trusted types?</dfn> ### {#does-sink-require-trusted-types}
 
-Given a [=realm/global object=] (|global|), a string (|sinkGroup|) this algorithm
-returns `true` if the [=injection sink=] requires a [=Trusted Type=], and
-`false` otherwise.
+Given a [=realm/global object=] (|global|), a string (|sinkGroup|) and a boolean (|includeReportOnly|) this algorithm
+returns `true` if the [=injection sink=] requires a [=Trusted Type=], and `false` otherwise.
 
-1.  Let |result| be `false`.
+1.  Let |result| be false.
 1.  For each |policy| in |global|'s <a>CSP list</a>:
     1.  If |policy|'s <a>directive set</a> does not contain a <a>directive</a>
         whose [=directive/name=] is `"require-trusted-types-for"`, skip to the next |policy|.
@@ -1423,7 +1422,8 @@ returns `true` if the [=injection sink=] requires a [=Trusted Type=], and
         is `"require-trusted-types-for"`
     1.  If |directive|'s [=directive/value=] does not contain a <a>trusted-types-sink-group</a> which is a match
         for |sinkGroup|, skip to the next |policy|.
-    1.  Set |result| to `true`.
+    1.  Let |enforced| be true if |policy|'s [=policy/disposition=] is `"enforce"`, and false otherwise.
+    1.  Set |result| to true if |enforced| is true, and set to |includeReportOnly| otherwise.
 1. Return |result|.
 
 ### <dfn abstract-op>Should sink type mismatch violation be blocked by Content Security Policy?</dfn> ### {#should-block-sink-type-mismatch}