Enable trusted-types

This commit adds a policy, and make use of it in the Content-Security-Policy. I've tested it the best I could, both on a modern browser supporting trusted-types (Chrome) and on one that doesn't (firefox). Thanks to @lweichselbaum for giving me a hand to wrap this up!
author: jvoisin <julien.voisin@dustri.org> 2024-03-18 00:45:41 +0100
committer: Frédéric Guillot <f@miniflux.net> 2024-03-20 17:50:37 -0700
commit: ed2077119491bcc198ae84df5b1b1ed6f13f78f1 (patch)
tree: 408252a9571f8b28a9fda14b9949bd73831a5d28 /internal/ui/static/js
parent: beb8c80787beadbfdb8b970368a3200f7d59f58e (diff)
download: v2-ed2077119491bcc198ae84df5b1b1ed6f13f78f1.tar.gz
v2-ed2077119491bcc198ae84df5b1b1ed6f13f78f1.tar.zst
v2-ed2077119491bcc198ae84df5b1b1ed6f13f78f1.zip
3 files changed, 17 insertions, 2 deletions
diff --git a/internal/ui/static/js/app.js b/internal/ui/static/js/app.js
index 00083b20..79ffb4b5 100644
--- a/internal/ui/static/js/app.js
+++ b/internal/ui/static/js/app.js
@@ -352,7 +352,7 @@ function handleFetchOriginalContent() {
 
         response.json().then((data) => {
             if (data.hasOwnProperty("content") && data.hasOwnProperty("reading_time")) {
-                document.querySelector(".entry-content").innerHTML = data.content;
+                document.querySelector(".entry-content").innerHTML = ttpolicy.createHTML(data.content);
                 const entryReadingtimeElement = document.querySelector(".entry-reading-time");
                 if (entryReadingtimeElement) {
                     entryReadingtimeElement.textContent = data.reading_time;
diff --git a/internal/ui/static/js/bootstrap.js b/internal/ui/static/js/bootstrap.js
index c83704c3..44d6e716 100644
--- a/internal/ui/static/js/bootstrap.js
+++ b/internal/ui/static/js/bootstrap.js
@@ -129,7 +129,7 @@ document.addEventListener("DOMContentLoaded", () => {
     if ("serviceWorker" in navigator) {
         const scriptElement = document.getElementById("service-worker-script");
         if (scriptElement) {
-            navigator.serviceWorker.register(scriptElement.src);
+	    navigator.serviceWorker.register(ttpolicy.createScriptURL(scriptElement.src));
         }
     }
 
diff --git a/internal/ui/static/js/tt.js b/internal/ui/static/js/tt.js
new file mode 100644
index 00000000..f42cc47a
--- /dev/null
+++ b/internal/ui/static/js/tt.js
@@ -0,0 +1,15 @@
+let ttpolicy;
+if (window.trustedTypes && trustedTypes.createPolicy) {
+    //TODO: use an allow-list for `createScriptURL`
+    if (!ttpolicy) {
+        ttpolicy = trustedTypes.createPolicy('ttpolicy', {
+            createScriptURL: src => src,
+            createHTML: html => html,
+        });
+    }
+} else {
+    ttpolicy = {
+        createScriptURL: src => src,
+        createHTML: html => html,
+    };
+}
author	jvoisin <julien.voisin@dustri.org>	2024-03-18 00:45:41 +0100
committer	Frédéric Guillot <f@miniflux.net>	2024-03-20 17:50:37 -0700
commit	ed2077119491bcc198ae84df5b1b1ed6f13f78f1 (patch)
tree	408252a9571f8b28a9fda14b9949bd73831a5d28 /internal/ui/static/js
parent	beb8c80787beadbfdb8b970368a3200f7d59f58e (diff)
download	v2-ed2077119491bcc198ae84df5b1b1ed6f13f78f1.tar.gz v2-ed2077119491bcc198ae84df5b1b1ed6f13f78f1.tar.zst v2-ed2077119491bcc198ae84df5b1b1ed6f13f78f1.zip