Skip to content

Widget JS violates Trusted Types (require-trusted-types-for 'script') #2379

Description

@adrianbj

The Live Helper Chat widget (widgetv2/index.js) triggers Trusted Types violations when a site uses the CSP directive require-trusted-types-for 'script'.

Violations observed

  1. Element innerHTML — setting innerHTML on the status container:
    Element innerHTML|<div id="lhc_status_container" class="no...

  2. Source: widgetv2/index.js line 2, column 6662

  3. HTMLScriptElement src — dynamically setting script.src to load additional widget scripts:
    HTMLScriptElement src|https://chat.helptexts.com/design/defaul...

  4. Source: widgetv2/index.js line 2, column 85318

CSP header used

Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri /csp-report/; report-to csp-endpoint

Suggested fixes

  1. Replace innerHTML assignments with safe DOM APIs (createElement, textContent, appendChild)
  2. For dynamic script loading, consider using a configurable Trusted Types policy, or document how consumers can create a default policy to wrap these
    assignments

References

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions