Merge pull request #529 from Baroshem/vejja/issue526

feat(csp): trusted types

docs/content/1.documentation/2.headers/1.csp.md

@@ -77,6 +77,8 @@ contentSecurityPolicy: {
   'frame-ancestors'?: ("'self'" | "'none'" | string)[] | false;
   'report-uri'?: string[] | false;
   'report-to'?: string | false;
+  'require-trusted-types-for'?: string | false;
+  'trusted-types'?: string[] | string | false;
   'upgrade-insecure-requests'?: boolean;
 } | false
 ```

src/types/headers.ts

@@ -86,6 +86,8 @@ export type ContentSecurityPolicyValue = {
   //'navigate-to'?: ("'self'" | "'none'" | "'unsafe-allow-redirects'" | string)[] | string | false;
   'report-uri'?: string[] | string | false;
   'report-to'?: string | false;
+  'require-trusted-types-for'?: string | false;
+  'trusted-types'?: string[] | string | false;
   'upgrade-insecure-requests'?: boolean;
 };
 

src/utils/headers.ts

@@ -112,7 +112,7 @@ export function headerObjectFromString(optionKey: OptionKey, headerValue: string
     const directives = headerValue.split(';').map(directive => directive.trim()).filter(directive => directive)
     const objectForm = {} as ContentSecurityPolicyValue
     for (const directive of directives) {
-      const [type, ...sources] = directive.split(' ').map(token => token.trim()) as [keyof ContentSecurityPolicyValue, ...any]          
+      const [type, ...sources] = directive.split(' ').map(token => token.trim()) as [keyof ContentSecurityPolicyValue, ...string[]]          
       if (type === 'upgrade-insecure-requests') {
         objectForm[type] = true
       } else {