Enable trusted-types

This commit adds a policy, and make use of it in the Content-Security-Policy. I've tested it the best I could, both on a modern browser supporting trusted-types (Chrome) and on one that doesn't (firefox). Thanks to @lweichselbaum for giving me a hand to wrap this up!
2025-09-15 18:57:04 +00:00 · 2024-03-18 00:45:41 +01:00 · 2024-03-18 00:45:41 +01:00 · ed20771194
commit ed20771194
parent beb8c80787
5 changed files with 20 additions and 4 deletions
--- a/internal/template/templates/common/layout.html
+++ b/internal/template/templates/common/layout.html
@ -36,10 +36,10 @@

    {{ if and .user .user.Stylesheet }}
    {{ $stylesheetNonce := nonce }}
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'; require-trusted-types-for 'script'; trusted-types ttpolicy;">
    <style nonce="{{ $stylesheetNonce }}">{{ .user.Stylesheet | safeCSS }}</style>
    {{ else }}
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; require-trusted-types-for 'script'; trusted-types ttpolicy;">
    {{ end }}

    <script src="{{ route "javascript" "name" "app" "checksum" .app_js_checksum }}" defer></script>