This document requires ‘TrustedScriptURL’ assignment

Tags: , , ,



After adding require-trusted-types-for 'script'; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks,

when I open my website, it becomes a blank page. I got many these three kinds of errors in my console. (Chrome version 83.0.4103.61)

This document requires ‘TrustedScript’ assignment.

This document requires ‘TrustedScriptURL’ assignment.

TypeError: Failed to set the ‘src’ property on ‘HTMLScriptElement’: This document requires ‘TrustedScriptURL’ assignment.

I have read the article Prevent DOM-based cross-site scripting vulnerabilities with Trusted Types. However, the article only says how to handle TrustedHTML, but not TrustedScript or TrustedScriptURL.

Any guide will be helpful. Thanks!

Answer

We have been running into the very same problem.

Here’s how you fix it:

  1. Install the DOMPurify library. npm install --save DOMPurify

  2. Create a file trusted-security-policies.js.

  3. In the entry point for your bundler (like e.g. webpack), import this file first (before any code that potentially violates the content security policy):

    import './path/to/trusted-security-policies';
    
import DOMPurify from 'dompurify';

if (window.trustedTypes && window.trustedTypes.createPolicy) { // Feature testing
    window.trustedTypes.createPolicy('default', {
        createHTML: (string) => DOMPurify.sanitize(string, {RETURN_TRUSTED_TYPE: true}),
        createScriptURL: string => string, // warning: this is unsafe!
        createScript: string => string, // warning: this is unsafe!
    });
}

What this does: Whenever a string is assigned to be parsed as HTML, or as a URL, or as a script, the browser automatically passes this string through the defined handler function.

For HTML, the HTML is being sanitized from potential XSS code by the DOMPurify library.

For scriptURL and script, the string is just passed through. Please note that this effectively disables security for these two parts and should only be used for as long as you haven’t identified how to make these strings safe yourself. As soon as you have that, replace the handler functions accordingly.



Source: stackoverflow