From aab032b5b219f2ae1a603e92384fc7a35e49e64e Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Wed, 2 Oct 2024 17:04:32 +0200
Subject: [PATCH] Prevent XSS through Trusted Types

Following a5b9363e43f9619df339a5757b8d29bee4cad2b5, this enables the
new "Trusted Types" Content Security Policy for the ades website to
prevent XSS vulnerabilities sneaking in in the future (currently there
are no violations so there should be no XSS vulnerabilities).

I tested this change on a5b9363~1 and it did indeed detect the violation
and prevent XSS (by throwing an error).

In browsers without support for the Trusted Types API this change has no
effect (though it may produce a warning about unknown CSP directives).

Trusted Types: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
CSP: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
---
 web/index.html | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/web/index.html b/web/index.html
index 21c423b..6ecdb4a 100644
--- a/web/index.html
+++ b/web/index.html
@@ -21,6 +21,12 @@
 <head>
 	<title>ades</title>
 	<meta charset="utf-8" />
+
+	<meta
+		http-equiv="Content-Security-Policy"
+		content="trusted-types 'none'; require-trusted-types-for 'script';"
+	/>
+
 	<link rel="stylesheet" href="index.css">
 	<script src="wasm_exec.js"></script>
 </head>