Summary
The two HTML files lack a require-trusted-types-for CSP directive. The overall application would be more secure with it.
Please describe the problem you are trying to solve.
ElectronNegativity uses Google CSP Evaluator which is currently flagging the lack of a
require-trusted-types-for CSP directive.
Proposed Solution
[ ] Add require-trusted-types-for 'script' to the CSP headers of both files.
[ ] Update the render scripts to avoid directly setting innerHTML and other things that violate the header.
Summary The two HTML files lack a require-trusted-types-for CSP directive. The overall application would be more secure with it.
Please describe the problem you are trying to solve. ElectronNegativity uses Google CSP Evaluator which is currently flagging the lack of a require-trusted-types-for CSP directive.
Proposed Solution
require-trusted-types-for 'script'
to the CSP headers of both files.innerHTML
and other things that violate the header.