The Live Helper Chat widget (widgetv2/index.js) triggers Trusted Types violations when a site uses the CSP directive require-trusted-types-for 'script'.
Violations observed
-
Element innerHTML — setting innerHTML on the status container:
Element innerHTML|<div id="lhc_status_container" class="no...
-
Source: widgetv2/index.js line 2, column 6662
-
HTMLScriptElement src — dynamically setting script.src to load additional widget scripts:
HTMLScriptElement src|https://chat.helptexts.com/design/defaul...
-
Source: widgetv2/index.js line 2, column 85318
CSP header used
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri /csp-report/; report-to csp-endpoint
Suggested fixes
- Replace innerHTML assignments with safe DOM APIs (createElement, textContent, appendChild)
- For dynamic script loading, consider using a configurable Trusted Types policy, or document how consumers can create a default policy to wrap these
assignments
References
The Live Helper Chat widget (widgetv2/index.js) triggers Trusted Types violations when a site uses the CSP directive require-trusted-types-for 'script'.
Violations observed
Element innerHTML — setting innerHTML on the status container:
Element innerHTML|<div id="lhc_status_container" class="no...
Source: widgetv2/index.js line 2, column 6662
HTMLScriptElement src — dynamically setting script.src to load additional widget scripts:
HTMLScriptElement src|https://chat.helptexts.com/design/defaul...
Source: widgetv2/index.js line 2, column 85318
CSP header used
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri /csp-report/; report-to csp-endpoint
Suggested fixes
assignments
References
https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
Similar issues have been addressed by jackocnr/intl-tel-input@33c3166 and raised with
https://github.com/uikit/uikit