dorianmariecom commented 2 years ago

From https://csp-evaluator.withgoogle.com :

Consider requiring Trusted Types for scripts to lock down DOM XSS injection sinks. You can do this by adding "require-trusted-types-for 'script'" to your policy.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for

Example:

Content-Security-Policy: require-trusted-types-for 'script';

Feature Requests

Adding a new CSP directive

Is the directive supported by any user agent? If so, which?

What does it do?

When used, those functions only accept non-spoofable, typed values created by Trusted Type policies, and reject strings. Together with trusted-types directive, which guards creation of Trusted Type policies, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review.

What are the valid values for the directive?

https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-csp-directive

Seems like there is only 'script' as a valid value, not sure

lgarron commented 2 years ago

@dorianmariefr: require-trusted-types-for is implemented in v6.4.0. Does this meet your needs?

dorianmariecom commented 2 years ago

@lgarron I don't maintain an application that uses secure_headers anymore

lgarron commented 2 years ago

Alright, thanks! I'll mark this as closed, and we can use new issues if there is something to change about the implementation.

github / secure_headers

Add require-trusted-types-for to CSP #474

Feature Requests

Adding a new CSP directive