Added a comment about fromLiteral. (w3c#409)

Closes w3c#393.
koto · Jan 19, 2024 · 4ae7917 · 4ae7917
1 parent 6676495
commit 4ae7917
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/spec/index.bs b/spec/index.bs
@@ -1564,9 +1564,8 @@ Content-Security-Policy: require-trusted-types-for 'script'; trusted-types one t
 
 <div class="example" id="header-that-allows-no-policy-names">
 An empty [=directive=] [=directive/value=] indicates policies may not be created,
-and sinks expect Trusted Type values, i.e. no DOM XSS [=injection sinks=] can be used
-at all.
-
+and sinks expect Trusted Type values, i.e. DOM XSS [=injection sinks=] cannot be used
+with dynamic values. Values for those sinks can only be created by <code>fromLiteral</code> tag functions.
 <pre class="http">
 Content-Security-Policy: trusted-types; require-trusted-types-for 'script'
 </pre>