[Feature Request] Trusted Types support

[tosmolka]

Trusted Types support

RequireJS should support Trusted Types API so that it can be seamlessly integrated into applications that enforce Trusted Types for all DOM XSS Injection Sinks (e.g. assignments to HTMLScriptElement.src attribute) via CSP directive require-trusted-types-for. Trusted Types APIs are now fully supported in browsers with Blink engine (Chrome, Edge and others).

To support Trusted Types we should identify all instances where RequireJS calls such methods and propose re-factoring. We need to be careful to keep supporting browsers without Trusted Types support. This is usually done by testing whether window.trustedTypes is defined and fall-back to current behavior if it's not.

We know so far about these locations:

• Assignment to HTMLScriptElement.src should use TrustedScriptURL instead of string

  • requirejs/require.js

    Line 1945 in 898ff9e

    node.src = url;

• Call to WorkerGlobalScope.ImportScripts in Web Worker should use TrustedScriptURL instead of string

  • requirejs/require.js

    Line 1979 in 898ff9e

    importScripts(url);

• Call to eval should use TrustedScript instead of string

  • requirejs/require.js

    Line 2140 in 898ff9e

    return eval(text);

References

• Similar Trusted Types Integrations in other libraries
• Trusted Types spec
• CSP directive require-trusted-types-for