diff --git a/internal/template/templates/common/layout.html b/internal/template/templates/common/layout.html
index f456c058..19019c1e 100644
--- a/internal/template/templates/common/layout.html
+++ b/internal/template/templates/common/layout.html
@@ -36,10 +36,10 @@
 
     {{ if and .user .user.Stylesheet }}
     {{ $stylesheetNonce := nonce }}
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; style-src 'self' 'nonce-{{ $stylesheetNonce }}'; require-trusted-types-for 'script'; trusted-types ttpolicy;">
     <style nonce="{{ $stylesheetNonce }}">{{ .user.Stylesheet | safeCSS }}</style>
     {{ else }}
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src * data:; media-src *; frame-src *; require-trusted-types-for 'script'; trusted-types ttpolicy;">
     {{ end }}
 
     <script src="{{ route "javascript" "name" "app" "checksum" .app_js_checksum }}" defer></script>
diff --git a/internal/ui/static/js/app.js b/internal/ui/static/js/app.js
index 00083b20..79ffb4b5 100644
--- a/internal/ui/static/js/app.js
+++ b/internal/ui/static/js/app.js
@@ -352,7 +352,7 @@ function handleFetchOriginalContent() {
 
         response.json().then((data) => {
             if (data.hasOwnProperty("content") && data.hasOwnProperty("reading_time")) {
-                document.querySelector(".entry-content").innerHTML = data.content;
+                document.querySelector(".entry-content").innerHTML = ttpolicy.createHTML(data.content);
                 const entryReadingtimeElement = document.querySelector(".entry-reading-time");
                 if (entryReadingtimeElement) {
                     entryReadingtimeElement.textContent = data.reading_time;
diff --git a/internal/ui/static/js/bootstrap.js b/internal/ui/static/js/bootstrap.js
index c83704c3..44d6e716 100644
--- a/internal/ui/static/js/bootstrap.js
+++ b/internal/ui/static/js/bootstrap.js
@@ -129,7 +129,7 @@ document.addEventListener("DOMContentLoaded", () => {
     if ("serviceWorker" in navigator) {
         const scriptElement = document.getElementById("service-worker-script");
         if (scriptElement) {
-            navigator.serviceWorker.register(scriptElement.src);
+	    navigator.serviceWorker.register(ttpolicy.createScriptURL(scriptElement.src));
         }
     }
 
diff --git a/internal/ui/static/js/tt.js b/internal/ui/static/js/tt.js
new file mode 100644
index 00000000..f42cc47a
--- /dev/null
+++ b/internal/ui/static/js/tt.js
@@ -0,0 +1,15 @@
+let ttpolicy;
+if (window.trustedTypes && trustedTypes.createPolicy) {
+    //TODO: use an allow-list for `createScriptURL`
+    if (!ttpolicy) {
+        ttpolicy = trustedTypes.createPolicy('ttpolicy', {
+            createScriptURL: src => src,
+            createHTML: html => html,
+        });
+    }
+} else {
+    ttpolicy = {
+        createScriptURL: src => src,
+        createHTML: html => html,
+    };
+}
diff --git a/internal/ui/static/static.go b/internal/ui/static/static.go
index fd653b81..3ddff18d 100644
--- a/internal/ui/static/static.go
+++ b/internal/ui/static/static.go
@@ -113,6 +113,7 @@ func GenerateStylesheetsBundles() error {
 func GenerateJavascriptBundles() error {
 	var bundles = map[string][]string{
 		"app": {
+			"js/tt.js", // has to be first
 			"js/dom_helper.js",
 			"js/touch_handler.js",
 			"js/keyboard_handler.js",