fix: CSP with unsafe-eval detection with Trusted Types (#27446)

spec-main/security-warnings-spec.ts

@@ -22,6 +22,7 @@ describe('security warnings', () => {
   let server: http.Server;
   let w: BrowserWindow;
   let useCsp = true;
+  let useTrustedTypes = false;
   let serverUrl: string;
 
   before((done) => {
@@ -48,8 +49,11 @@ describe('security warnings', () => {
             return;
           }
 
-          const cspHeaders = { 'Content-Security-Policy': 'script-src \'self\' \'unsafe-inline\'' };
-          response.writeHead(200, useCsp ? cspHeaders : undefined);
+          const cspHeaders = [
+            ...(useCsp ? ['script-src \'self\' \'unsafe-inline\''] : []),
+            ...(useTrustedTypes ? ['require-trusted-types-for \'script\'; trusted-types *'] : [])
+          ];
+          response.writeHead(200, { 'Content-Security-Policy': cspHeaders });
           response.write(file, 'binary');
           response.end();
         });
@@ -68,6 +72,7 @@ describe('security warnings', () => {
 
   afterEach(async () => {
     useCsp = true;
+    useTrustedTypes = false;
     await closeWindow(w);
     w = null as unknown as any;
   });
@@ -129,6 +134,22 @@ describe('security warnings', () => {
         expect(message).to.include('Insecure Content-Security-Policy');
       });
 
+      it('should warn about insecure Content-Security-Policy (Trusted Types)', async () => {
+        w = new BrowserWindow({
+          show: false,
+          webPreferences: {
+            enableRemoteModule: false,
+            ...webPreferences
+          }
+        });
+
+        useCsp = false;
+        useTrustedTypes = true;
+        w.loadURL(`${serverUrl}/base-page-security.html`);
+        const [,, message] = await emittedUntil(w.webContents, 'console-message', messageContainsSecurityWarning);
+        expect(message).to.include('Insecure Content-Security-Policy');
+      });
+
       it('should warn about allowRunningInsecureContent', async () => {
         w = new BrowserWindow({
           show: false,