From e7c201288c3d29803f7885aad8373f7ebc540256 Mon Sep 17 00:00:00 2001
From: Milan Burda <milan.burda@gmail.com>
Date: Mon, 25 Jan 2021 17:08:58 +0100
Subject: [PATCH] chore: enable Trusted Types in default app (#27453)

---
 default_app/index.html | 1 +
 default_app/preload.ts | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/default_app/index.html b/default_app/index.html
index a4edefea906..5ac92e4fb8f 100644
--- a/default_app/index.html
+++ b/default_app/index.html
@@ -2,6 +2,7 @@
 
 <head>
   <title>Electron</title>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'; trusted-types electron-default-app" />
   <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'sha256-6PH54BfkNq/EMMhUY7nhHf3c+AxloOwfy7hWyT01CM8='; style-src 'self'; img-src 'self'; connect-src 'self'" />
   <link href="./styles.css" type="text/css" rel="stylesheet" />
   <link href="./octicon/build.css" type="text/css" rel="stylesheet" />
diff --git a/default_app/preload.ts b/default_app/preload.ts
index b18130a1d0f..c446398912a 100644
--- a/default_app/preload.ts
+++ b/default_app/preload.ts
@@ -1,10 +1,15 @@
 import { ipcRenderer, contextBridge } from 'electron';
 
+const policy = window.trustedTypes.createPolicy('electron-default-app', {
+  // we trust the SVG contents
+  createHTML: input => input
+});
+
 async function getOcticonSvg (name: string) {
   try {
     const response = await fetch(`octicon/${name}.svg`);
     const div = document.createElement('div');
-    div.innerHTML = await response.text();
+    div.innerHTML = policy.createHTML(await response.text());
     return div;
   } catch {
     return null;