Support CSP `require-trusted-types-for`

[xamir82]

Describe the problem

Even though require-trusted-types-for seems to be present in the list of CSP directives in the configuration, setting it (to script, which is its only value) will actually cause SvelteKit to fail to function properly:

Describe the proposed solution

I don't know much about this directive but it seems like what is assigned to innerHTML properties and whatnot, must be a special "trusted" type — see this article.

SvelteKit (or probably Svelte, more specifically) does do a lot of these things (e.g. changing innerHTML properties and so on), so SvelteKit should probably account for this when this directive is enabled.

Alternatives considered

No response

Importance

nice to have

Additional Information

No response

[AlanBreck]

@xamir82, can you confirm that these errors are due to Svelte and not your own code? In my case, the errors were caused by setting .src on a script tag in the site analytics set up.

[fallaciousreasoning]

Hey so I've got a PR for Svelte that will fix a very specific subset of this problem (CSS for custom elements) https://github.com/sveltejs/svelte/pull/8135

You could probably do something similar to fix the above issue, as looking at the console output it looks like this only applies to updating styles (which we can do via textContent rather than innerHTML which won't trigger the TrustedTypes check).

From a higher level, it would probably be a good idea to add a few fine grained trusted types policies which Svelte would then use when doing something that could trigger a violation. That way consumers of svelte could whitelist the policies in their CSP.

[aradalvand]

I get the same error: