Add trusted-types and require-trusted-types-for CSP directives

[sideshowbarker]

This change implements support for the Trusted Types CSP directives as specified in the W3C Trusted Types spec.
Fixes #232.

The trusted-types directive supports:

• Policy names (with characters: ALPHA/DIGIT/-/#/=/_/@/./%）
• Keywords: 'none', 'allow-duplicates'
• Wildcard: *

The require-trusted-types-for directive supports:

• Keyword: 'script'

Policy names are handled case-sensitively, matching browser behavior (verified via Playwright tests against Chromium and WebKit). Keywords are handled case-insensitively, per the ABNF spec.

Note: Chromium incorrectly treats 'allow-duplicates' as case-sensitive, while WebKit correctly treats it as case-insensitive. We follow the spec. See https://issues.chromium.org/issues/472892238

---

This PR branch also includes some Playwright browser tests for trusted-types case-sensitivity. The tests verify browser behavior for the trusted-types CSP directive, specifically checking whether keywords and policy names are treated as case-sensitive or case-insensitive.

• Policy names

  case-sensitive in both Chromium and WebKit

• Keywords ('none')

  case-insensitive in both browsers

• Keywords ('allow-duplicates')

  case-insensitive in WebKit, incorrectly case-sensitive in Chromium
  https://issues.chromium.org/issues/472892238

---

shapesecurity/CLA#40

[sideshowbarker]

👋 friendly bump~

[rbri]

👋 friendly bump~

Hi @sideshowbarker,
because this project seems to be not moving forward for a long time, I started my branch at the end of 2023. Maybe you like to have a look. https://github.com/HtmlUnit/htmlunit-csp

@kingthorin is working on trusted-types and require-trusted-types-for at the moment.
HtmlUnit/htmlunit-csp#9
Maybe we can work together

[kingthorin]

@rbri / @sideshowbarker
This seems further along than my unfinished changes. I'd be happy to adapt/adopt this. Let me know if you're okay with that.

[rbri]

@sideshowbarker - have taken this as base for 34b56357d237dcdc9e1876cbefd81017c5581fe0

At least your Playwrite tests and the add methods have not been adopted yet. If you want, I can add more elements to support your cases, and hopefully we can continuously improve this together.

So far, this is also used by ZAK (https://github.com/owasp-zap/zaproxy), and @kingthorin and I are working together to improve this lib to support HtmlUnit and ZAK.

[sideshowbarker]

because this project seems to be not moving forward for a long time, I started my branch at the end of 2023. Maybe you like to have a look. HtmlUnit/htmlunit-csp

Thanks, that’s really great news — in validator/validator@9870c6ecc0 I’ve gone ahead and switched the HTML checker to using htmlunit-csp, and pushed the change to https://validator.w3.org/nu/.

[sideshowbarker]

@sideshowbarker - have taken this as base for 34b56357d237dcdc9e1876cbefd81017c5581fe0

Beautiful~ ⭐️

At least your Playwrite tests and the add methods have not been adopted yet.

I’m happy to go ahead and take a shot at porting those over myself, if you want. Shall I go ahead and do that?

If you want, I can add more elements to support your cases

Not sure what you mean by “elements” — but right now, for the HTML checker, the immediate need is just for handling the trusted-types and require-trusted-types-for directives.

But lemme turn it around and say: If there’s anything additional y’all would like to see the HTML checker doing to help web developers with CSP more, I’m all for adding more of that.

and hopefully we can continuously improve this together.

Yes~ I’d be very happy to contribute further, wherever I might be useful.

So far, this is also used by ZAK (owasp-zap/zaproxy), and @kingthorin and I are working together to improve this lib to support HtmlUnit and ZAK.

👍

[sideshowbarker]

At least your Playwrite tests and the add methods have not been adopted yet.

I’m happy to go ahead and take a shot at porting those over myself, if you want. Shall I go ahead and do that?

Actually, I think we don’t necessarily really need the Playwrite tests, right? I mean, they’re not really even tests as such — not for this code, at least; they’re not testing the behavior of this code in any way at all.

So they’re more just … demos, to document what browser engines currently do with case sensitivity for the directives.

and the add methods have not been adopted yet.

So the add/remove methods I’ be happy to port over. Or is there a reason you didn't already go ahead and do that?

[sideshowbarker]

So the add/remove methods I’ be happy to port over. Or is there a reason you didn't already go ahead and do that?

I went ahead and wrote a patch for it, and opened HtmlUnit/htmlunit-csp#11

So I’m going ahead and closing this PR here.