Hi there, I've been browsing through the spec and source code (and implementing a policy on a local project) for an entire day. The proposal is very interesting, but there are a couple of things that aren't clear to me:

1. Why exactly do we need TrustedTypes when we have CSP?
2. How are TrustedTypes different from CSP, what can you accomplish with them that you can't otherwise?

Let's say. based on the list of policies for script-src, I could protect my domain against execution of any kind of script in my DOM by providing a 'nonce-' for my domain inside my CSP header. Same goes for origins of images, iframes, etc. etc.

I'm struggling to understand if TrustedTypes are an alternative to CSP, or complementary approach.

Could you please clarify it for me?

Many thanks in advance.