partytown icon indicating copy to clipboard operation
partytown copied to clipboard

Published 20 hours ago • verified publisher icon BuilderIO

Partytown compatibility with CSP Trusted Types

Open exequiel09 opened this issue 2 years ago • 0 comments

Describe the bug I recently tried enabling CSP Trusted Types with a site that uses partytown and it throws errors about TrustedScript assignment on these specific files

https://github.com/BuilderIO/partytown/blob/0a06db0e2034188a6330d51eb6ab06cce90ecb6d/src/lib/web-worker/worker-exec.ts#L121 Screen Shot 2022-09-10 at 12 23 45 PM

https://github.com/BuilderIO/partytown/blob/0a06db0e2034188a6330d51eb6ab06cce90ecb6d/src/lib/web-worker/init-web-worker.ts#L29 Screen Shot 2022-09-10 at 12 23 31 PM

Screen Shot 2022-09-10 at 12 22 46 PM

I do think to fix this, partytown should ship their own Trusted Type policy and let consumers add the policy via the trusted-types CSP directive. I'm not a security expert so I'll leave the implementation of custom Trusted Type policy to the ones who can 😅

To Reproduce Steps to reproduce the behavior:

  1. Add Partytown to a website
  2. Add CSP rule that enables trusted types

Reproduction link Please include a link to a Stackblitz or Codesandbox reproducing the issue. We will need to see the issue reproduced with hand-written code - we can't debug giant minified third party scripts directly. If you do not include a clean and simple reproduction of your issue, we won't be able to look into it until you do.

Expected behavior It should not complain when running a site with Trusted Types enabled

Partytown version 0.6.4

exequiel09 avatar Sep 10 '22 04:09 exequiel09