From ed2077119491bcc198ae84df5b1b1ed6f13f78f1 Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Mon, 18 Mar 2024 00:45:41 +0100
Subject: Enable trusted-types

This commit adds a policy, and make use of it in the Content-Security-Policy.

I've tested it the best I could, both on a modern browser supporting
trusted-types (Chrome) and on one that doesn't (firefox).

Thanks to @lweichselbaum for giving me a hand to wrap this up!
---
 internal/ui/static/js/tt.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 internal/ui/static/js/tt.js

(limited to 'internal/ui/static/js/tt.js')

diff --git a/internal/ui/static/js/tt.js b/internal/ui/static/js/tt.js
new file mode 100644
index 00000000..f42cc47a
--- /dev/null
+++ b/internal/ui/static/js/tt.js
@@ -0,0 +1,15 @@
+let ttpolicy;
+if (window.trustedTypes && trustedTypes.createPolicy) {
+    //TODO: use an allow-list for `createScriptURL`
+    if (!ttpolicy) {
+        ttpolicy = trustedTypes.createPolicy('ttpolicy', {
+            createScriptURL: src => src,
+            createHTML: html => html,
+        });
+    }
+} else {
+    ttpolicy = {
+        createScriptURL: src => src,
+        createHTML: html => html,
+    };
+}
-- 
cgit v1.2.3