Cannot apply `require-trusted-types-for 'script'` Content-Security-Policy

[tojaroslaw]

Our SOC-2 auditor identified a vulnerability risk with our content security policy because we didn't have explicit list of trusted-types in our application's Content-Security-Policy. In theory, if a 0-day exploit was found, someone could inject malicious javascript into the page and the Content-Security-Policy would block ordinary users from seeing it unless they manually edited the local response headers. The CSP acts as a last line of defense against XSS.

The usual fix is to add require-trusted-types-for 'script' to our CSP, find which elements it is blocking and whitelist them. However, this does not work on the docs page because the elements rendered by the Swagger Docs do not have a trustedType associated with them to whitelist.

We do not have a lot of frontend resources available at the moment, so wrapping everything in the frontend code in our own trusted types would be a heavy lift as a workaround. What I would like is for the swagger components to have their own trustedType(s) that I can whitelist on the trusted-types section of the CSP so the docs page will actually render instead of looking like this: