From 0f7931572bb5273f71f26a4e92c34da599ec186b Mon Sep 17 00:00:00 2001
From: gonzo <lbrfalcao@gmail.com>
Date: Sun, 2 May 2021 16:31:55 -0300
Subject: [PATCH] Add support for require-trusted-types-for and trusted-types
 csp headers

---
 actionpack/CHANGELOG.md                       |  6 ++
 .../http/content_security_policy.rb           | 72 ++++++++++---------
 .../dispatch/content_security_policy_test.rb  | 18 +++++
 3 files changed, 62 insertions(+), 34 deletions(-)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index bdc29db6f4..a44390e0c4 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,9 @@
+*   Add support for 'require-trusted-types-for' and 'trusted-types' headers.
+
+    Fixes #42034
+
+    *lfalcao*
+
 *   Remove inline styles and address basic accessibility issues on rescue templates.
 
     *Jacob Herrington*
diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
index e8cf1b95a5..8fe232a578 100644
--- a/actionpack/lib/action_dispatch/http/content_security_policy.rb
+++ b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -106,43 +106,47 @@ module ActionDispatch #:nodoc:
     end
 
     MAPPINGS = {
-      self:           "'self'",
-      unsafe_eval:    "'unsafe-eval'",
-      unsafe_inline:  "'unsafe-inline'",
-      none:           "'none'",
-      http:           "http:",
-      https:          "https:",
-      data:           "data:",
-      mediastream:    "mediastream:",
-      blob:           "blob:",
-      filesystem:     "filesystem:",
-      report_sample:  "'report-sample'",
-      strict_dynamic: "'strict-dynamic'",
-      ws:             "ws:",
-      wss:            "wss:"
+      self:             "'self'",
+      unsafe_eval:      "'unsafe-eval'",
+      unsafe_inline:    "'unsafe-inline'",
+      none:             "'none'",
+      http:             "http:",
+      https:            "https:",
+      data:             "data:",
+      mediastream:      "mediastream:",
+      allow_duplicates: "'allow-duplicates'",
+      blob:             "blob:",
+      filesystem:       "filesystem:",
+      report_sample:    "'report-sample'",
+      script:           "'script'",
+      strict_dynamic:   "'strict-dynamic'",
+      ws:               "ws:",
+      wss:              "wss:"
     }.freeze
 
     DIRECTIVES = {
-      base_uri:        "base-uri",
-      child_src:       "child-src",
-      connect_src:     "connect-src",
-      default_src:     "default-src",
-      font_src:        "font-src",
-      form_action:     "form-action",
-      frame_ancestors: "frame-ancestors",
-      frame_src:       "frame-src",
-      img_src:         "img-src",
-      manifest_src:    "manifest-src",
-      media_src:       "media-src",
-      object_src:      "object-src",
-      prefetch_src:    "prefetch-src",
-      script_src:      "script-src",
-      script_src_attr: "script-src-attr",
-      script_src_elem: "script-src-elem",
-      style_src:       "style-src",
-      style_src_attr:  "style-src-attr",
-      style_src_elem:  "style-src-elem",
-      worker_src:      "worker-src"
+      base_uri:                   "base-uri",
+      child_src:                  "child-src",
+      connect_src:                "connect-src",
+      default_src:                "default-src",
+      font_src:                   "font-src",
+      form_action:                "form-action",
+      frame_ancestors:            "frame-ancestors",
+      frame_src:                  "frame-src",
+      img_src:                    "img-src",
+      manifest_src:               "manifest-src",
+      media_src:                  "media-src",
+      object_src:                 "object-src",
+      prefetch_src:               "prefetch-src",
+      require_trusted_types_for:  "require-trusted-types-for",
+      script_src:                 "script-src",
+      script_src_attr:            "script-src-attr",
+      script_src_elem:            "script-src-elem",
+      style_src:                  "style-src",
+      style_src_attr:             "style-src-attr",
+      style_src_elem:             "style-src-elem",
+      trusted_types:              "trusted-types",
+      worker_src:                 "worker-src"
     }.freeze
 
     DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
index 3d60dc1661..f95920b145 100644
--- a/actionpack/test/dispatch/content_security_policy_test.rb
+++ b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -211,6 +211,24 @@ class ContentSecurityPolicyTest < ActiveSupport::TestCase
     @policy.require_sri_for
     assert_no_match %r{require-sri-for}, @policy.build
 
+    @policy.require_trusted_types_for :script
+    assert_match %r{require-trusted-types-for 'script'}, @policy.build
+
+    @policy.require_trusted_types_for
+    assert_no_match %r{require-trusted-types-for}, @policy.build
+
+    @policy.trusted_types :none
+    assert_match %r{trusted-types 'none'}, @policy.build
+
+    @policy.trusted_types "foo", "bar"
+    assert_match %r{trusted-types foo bar}, @policy.build
+
+    @policy.trusted_types "foo", "bar", :allow_duplicates
+    assert_match %r{trusted-types foo bar 'allow-duplicates'}, @policy.build
+
+    @policy.trusted_types
+    assert_no_match %r{trusted-types}, @policy.build
+
     @policy.upgrade_insecure_requests
     assert_match %r{upgrade-insecure-requests}, @policy.build