sveltejs
CSP config: Missing quotes in `'script'` when using `require-trusted-types-for: ['script']`
Describe the bug
Single-quotes are missing in the header for the CSP directive require-trusted-types-for.
When configuring CSP for require-trusted-types-for: ['script'], the output looks like require-trusted-types-for script. It is thus missing single quotes which seems to be required according to the MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for
I believe this could be because "script" is not included in the quoted Set here: https://github.com/sveltejs/kit/blob/c60e957142f7424342772500de2339475dfe7f19/packages/kit/src/runtime/server/page/csp.js#L164-L168 but I'm not familiar enough with the codebase to say so with certainty, and I'm also not sure if simply adding "script" to the quoted list is going to work -- or if it's going to cause other issues.
Reproduction
Reprodution: https://stackblitz.com/edit/sveltejs-kit-template-default-2q4dhx?file=svelte.config.js
- Add
require-trusted-types-for: ['script']directive to CSP config - Reload page and verify content-security-policy response header shows
require-trusted-types-for script(missing single quotes in script)
Logs
No response
System Info
System:
OS: Linux 5.15 Ubuntu 22.04.1 LTS 22.04.1 LTS (Jammy Jellyfish)
CPU: (4) x64 Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz
Memory: 23.35 GB / 31.28 GB
Container: Yes
Shell: 5.8.1 - /usr/bin/zsh
Binaries:
Node: 16.15.0 - /usr/local/bin/node
npm: 8.5.5 - /usr/local/bin/npm
Browsers:
Brave Browser: 107.1.45.116
Chromium: 106.0.5249.119
Firefox: 106.0.2
npmPackages:
@sveltejs/adapter-node: ^1.0.0-next.98 => 1.0.0-next.98
@sveltejs/kit: ^1.0.0-next.516 => 1.0.0-next.516
svelte: ^3.52.0 => 3.52.0
vite: ^3.1.8 => 3.1.8
### Severity
annoyance
### Additional Information
_No response_
