fix: CSP with unsafe-eval detection with Trusted Types (#27446)

This commit is contained in:
Milan Burda 2021-01-25 02:31:25 +01:00 committed by GitHub
parent 4a5c5843c4
commit 64b7be751a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 63 additions and 3 deletions

View file

@ -272,6 +272,7 @@ declare interface Window {
}
};
ResizeObserver: ResizeObserver;
trustedTypes: TrustedTypePolicyFactory;
}
/**
@ -323,3 +324,41 @@ interface ResizeObserverEntry {
*/
readonly contentRect: DOMRectReadOnly;
}
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types
type TrustedHTML = string;
type TrustedScript = string;
type TrustedScriptURL = string;
type TrustedType = TrustedHTML | TrustedScript | TrustedScriptURL;
type StringContext = 'TrustedHTML' | 'TrustedScript' | 'TrustedScriptURL';
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#typedef-trustedtypepolicy
interface TrustedTypePolicy {
createHTML(input: string, ...arguments: any[]): TrustedHTML;
createScript(input: string, ...arguments: any[]): TrustedScript;
createScriptURL(input: string, ...arguments: any[]): TrustedScriptURL;
}
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#typedef-trustedtypepolicyoptions
interface TrustedTypePolicyOptions {
createHTML?: (input: string, ...arguments: any[]) => TrustedHTML;
createScript?: (input: string, ...arguments: any[]) => TrustedScript;
createScriptURL?: (input: string, ...arguments: any[]) => TrustedScriptURL;
}
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#typedef-trustedtypepolicyfactory
interface TrustedTypePolicyFactory {
createPolicy(policyName: string, policyOptions: TrustedTypePolicyOptions): TrustedTypePolicy
isHTML(value: any): boolean;
isScript(value: any): boolean;
isScriptURL(value: any): boolean;
readonly emptyHTML: TrustedHTML;
readonly emptyScript: TrustedScript;
getAttributeType(tagName: string, attribute: string, elementNs?: string, attrNs?: string): StringContext | null;
getPropertyType(tagName: string, property: string, elementNs?: string): StringContext | null;
readonly defaultPolicy: TrustedTypePolicy | null;
}