Support CSP `require-trusted-types-for`

[xamir82]

Describe the problem

Even though require-trusted-types-for seems to be present in the list of CSP directives in the configuration, setting it (to script, which is its only value) will actually cause SvelteKit to fail to function properly:

Describe the proposed solution

I don't know much about this directive but it seems like what is assigned to innerHTML properties and whatnot, must be a special "trusted" type — see this article.

SvelteKit (or probably Svelte, more specifically) does do a lot of these things (e.g. changing innerHTML properties and so on), so SvelteKit should probably account for this when this directive is enabled.

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

[AlanBreck]

@xamir82, can you confirm that these errors are due to Svelte and not your own code? In my case, the errors were caused by setting .src on a script tag in the site analytics set up.

[fallaciousreasoning]

Hey so I've got a PR for Svelte that will fix a very specific subset of this problem (CSS for custom elements) sveltejs/svelte#8135

You could probably do something similar to fix the above issue, as looking at the console output it looks like this only applies to updating styles (which we can do via textContent rather than innerHTML which won't trigger the TrustedTypes check).

From a higher level, it would probably be a good idea to add a few fine grained trusted types policies which Svelte would then use when doing something that could trigger a violation. That way consumers of svelte could whitelist the policies in their CSP.

[aradalvand]

I get the same error:

[teemingc]

This silly snippet makes the error go away
src/routes/+layout.svelte

<script>
	onMount(() => {
		if (window.trustedTypes && trustedTypes.createPolicy) {
			trustedTypes.createPolicy('default', {
				createHTML: (str, sink) => str // ideally sanitise the string here
			});
		}
	})
</script>

[fallaciousreasoning]

@eltigerchino while that will make the problem go away it kind of defeats the purpose of using trusted types. Ideally, Svelte would create its own policy and that could be whitelisted in the CSP.

[teemingc]

Agreed. I've filed an issue for this in the Svelte repo sveltejs/svelte#14438

[kiwixz]

I believe this is fixed now? The Svelte issue was just closed.

[teemingc]

@Rich-Harris are there changes we need to make to kit in lieu of sveltejs/svelte#16271 ?

EDIT: I think so. We should identify the csp config options then add the header. It will require the newer svelte version