add support for 'trusted-types' and 'require-trusted-types-for' CSP directives

this is based on shapesecurity/salvation#273

Author: rbri

pom.xml

@@ -337,6 +337,9 @@
         <contributor>
             <name>Rick Mitchell</name>
         </contributor>
+        <contributor>
+            <name>Michael Smith</name>
+        </contributor>
     </contributors>
 
     <dependencies>

src/main/java/org/htmlunit/csp/Policy.java

@@ -33,8 +33,10 @@
 import org.htmlunit.csp.directive.HostSourceDirective;
 import org.htmlunit.csp.directive.PluginTypesDirective;
 import org.htmlunit.csp.directive.ReportUriDirective;
+import org.htmlunit.csp.directive.RequireTrustedTypesForDirective;
 import org.htmlunit.csp.directive.SandboxDirective;
 import org.htmlunit.csp.directive.SourceExpressionDirective;
+import org.htmlunit.csp.directive.TrustedTypesDirective;
 import org.htmlunit.csp.url.GUID;
 import org.htmlunit.csp.url.URI;
 import org.htmlunit.csp.url.URLWithScheme;
@@ -44,7 +46,7 @@
 import org.htmlunit.csp.value.RFC7230Token;
 import org.htmlunit.csp.value.Scheme;
 
-public final class Policy {
+public class Policy {
     // Things we don't preserve:
     // - Whitespace
     // - Empty directives or policies (as in `; ;` or `, ,`)
@@ -60,12 +62,16 @@ public final class Policy {
 
     private final List<NamedDirective> directives_ = new ArrayList<>();
 
-    private SourceExpressionDirective baseUri_;
     private boolean blockAllMixedContent_;
+
+    private SourceExpressionDirective baseUri_;
     private SourceExpressionDirective formAction_;
     private FrameAncestorsDirective frameAncestors_;
     private SourceExpressionDirective navigateTo_;
     private PluginTypesDirective pluginTypes_;
+    private TrustedTypesDirective trustedTypes_;
+    private RequireTrustedTypesForDirective requireTrustedTypesFor_;
+
     private FetchDirectiveKind prefetchSrc_;
     private RFC7230Token reportTo_;
     private ReportUriDirective reportUri_;
@@ -320,6 +326,32 @@ else if (values.size() == 1) {
                 newDirective = sandboxDirective;
                 break;
 
+            case "trusted-types":
+                // https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive
+                final TrustedTypesDirective trustedTypesDirective =
+                        new TrustedTypesDirective(values, directiveErrorConsumer);
+                if (this.trustedTypes_ == null) {
+                    this.trustedTypes_ = trustedTypesDirective;
+                }
+                else {
+                    wasDupe = true;
+                }
+                newDirective = trustedTypesDirective;
+                break;
+
+            case "require-trusted-types-for":
+                // https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-csp-directive
+                final RequireTrustedTypesForDirective requireTrustedTypesForDirective =
+                        new RequireTrustedTypesForDirective(values, directiveErrorConsumer);
+                if (this.requireTrustedTypesFor_ == null) {
+                    this.requireTrustedTypesFor_ = requireTrustedTypesForDirective;
+                }
+                else {
+                    wasDupe = true;
+                }
+                newDirective = requireTrustedTypesForDirective;
+                break;
+
             case "upgrade-insecure-requests":
                 // https://www.w3.org/TR/upgrade-insecure-requests/#delivery
                 if (upgradeInsecureRequests_) {
@@ -431,6 +463,14 @@ public Optional<SandboxDirective> sandbox() {
         return Optional.ofNullable(sandbox_);
     }
 
+    public Optional<TrustedTypesDirective> trustedTypes() {
+        return Optional.ofNullable(trustedTypes_);
+    }
+
+    public Optional<RequireTrustedTypesForDirective> requireTrustedTypesFor() {
+        return Optional.ofNullable(requireTrustedTypesFor_);
+    }
+
     public boolean upgradeInsecureRequests() {
         return upgradeInsecureRequests_;
     }

src/main/java/org/htmlunit/csp/directive/RequireTrustedTypesForDirective.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2023-2026 Ronald Brill.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.htmlunit.csp.directive;
+
+import org.htmlunit.csp.Directive;
+import org.htmlunit.csp.Policy;
+
+import java.util.List;
+import java.util.Locale;
+
+/**
+ * @author Michael Smith
+ */
+public class RequireTrustedTypesForDirective extends Directive {
+    // https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-csp-directive
+    // Currently only 'script' is defined
+    private static final String SCRIPT = "'script'";
+
+    private boolean script_ = false;
+
+    public RequireTrustedTypesForDirective(final List<String> values, final DirectiveErrorConsumer errors) {
+        super(values);
+
+        if (values.isEmpty()) {
+            errors.add(Policy.Severity.Error, "The require-trusted-types-for directive requires a value", -1);
+            return;
+        }
+
+        int index = 0;
+        for (final String token : values) {
+            // ABNF strings are case-insensitive
+            final String lowcaseToken = token.toLowerCase(Locale.ROOT);
+            switch (lowcaseToken) {
+                case "'script'":
+                    if (!script_) {
+                        script_ = true;
+                    }
+                    else {
+                        errors.add(Policy.Severity.Warning, "Duplicate keyword 'script'", index);
+                    }
+                    break;
+                default:
+                    if (token.startsWith("'") && token.endsWith("'")) {
+                        errors.add(Policy.Severity.Error,
+                                "Unrecognized require-trusted-types-for keyword " + token, index);
+                    }
+                    else {
+                        errors.add(Policy.Severity.Error,
+                                "Unrecognized require-trusted-types-for value " + token
+                                        + " - keywords must be wrapped in single quotes", index);
+                    }
+            }
+            ++index;
+        }
+    }
+
+    public boolean script() {
+        return script_;
+    }
+
+    public void setScript_(final boolean script) {
+        if (script_ == script) {
+            return;
+        }
+        if (script) {
+            addValue(SCRIPT);
+        }
+        else {
+            removeValueIgnoreCase(SCRIPT);
+        }
+        script_ = script;
+    }
+}

src/main/java/org/htmlunit/csp/directive/TrustedTypesDirective.java

@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2023-2026 Ronald Brill.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.htmlunit.csp.directive;
+
+import org.htmlunit.csp.Directive;
+import org.htmlunit.csp.Policy;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Locale;
+import java.util.regex.Pattern;
+
+/**
+ * @author Michael Smith
+ */
+public class TrustedTypesDirective extends Directive {
+    // https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive
+    // tt-policy-name = 1*( ALPHA / DIGIT / "-" / "#" / "=" / "_" / "/" / "@" / "." / "%" )
+    private static final Pattern TT_POLICY_NAME_PATTERN = Pattern.compile("^[A-Za-z0-9\\-#=_/@.%]+$");
+
+    private boolean none_ = false;
+    private boolean allowDuplicates_ = false;
+    private boolean star_ = false;
+    private final List<String> policyNames_ = new ArrayList<>();
+
+    public TrustedTypesDirective(final List<String> values, final DirectiveErrorConsumer errors) {
+        super(values);
+
+        int index = 0;
+        for (final String token : values) {
+            // Keywords are case-insensitive per ABNF spec (RFC 5234 §2.3).
+            // Note: Chromium incorrectly treats 'allow-duplicates' as case-sensitive,
+            // while WebKit correctly treats it as case-insensitive. We follow the spec.
+            // See https://issues.chromium.org/issues/472892238
+            final String lowcaseToken = token.toLowerCase(Locale.ROOT);
+            switch (lowcaseToken) {
+                case "'none'":
+                    if (!none_) {
+                        none_ = true;
+                    }
+                    else {
+                        errors.add(Policy.Severity.Warning, "Duplicate keyword 'none'", index);
+                    }
+                    break;
+                case "'allow-duplicates'":
+                    if (!allowDuplicates_) {
+                        allowDuplicates_ = true;
+                    }
+                    else {
+                        errors.add(Policy.Severity.Warning, "Duplicate keyword 'allow-duplicates'", index);
+                    }
+                    break;
+                case "*":
+                    if (!star_) {
+                        star_ = true;
+                    }
+                    else {
+                        errors.add(Policy.Severity.Warning, "Duplicate wildcard *", index);
+                    }
+                    break;
+                default:
+                    if (token.startsWith("'") && token.endsWith("'")) {
+                        errors.add(Policy.Severity.Error, "Unrecognized trusted-types keyword " + token, index);
+                    }
+                    else if (TT_POLICY_NAME_PATTERN.matcher(token).matches()) {
+                        // Policy names are case-sensitive per browser behavior
+                        if (policyNames_.contains(token)) {
+                            errors.add(Policy.Severity.Warning, "Duplicate policy name " + token, index);
+                        }
+                        else {
+                            policyNames_.add(token);
+                        }
+                    }
+                    else {
+                        errors.add(Policy.Severity.Error, "Invalid trusted-types policy name " + token, index);
+                    }
+            }
+            ++index;
+        }
+
+        // 'none' must not be combined with other values
+        if (none_ && (star_ || allowDuplicates_ || !policyNames_.isEmpty())) {
+            errors.add(Policy.Severity.Error,
+                    "'none' must not be combined with any other trusted-types expression", -1);
+        }
+    }
+
+    public boolean none() {
+        return none_;
+    }
+
+    public void setNone(final boolean none) {
+        if (none_ == none) {
+            return;
+        }
+        if (none) {
+            addValue("'none'");
+        }
+        else {
+            removeValueIgnoreCase("'none'");
+        }
+        none_ = none;
+    }
+
+    public boolean allowDuplicates() {
+        return allowDuplicates_;
+    }
+
+    public void setAllowDuplicates_(final boolean allowDuplicates) {
+        if (allowDuplicates_ == allowDuplicates) {
+            return;
+        }
+        if (allowDuplicates) {
+            addValue("'allow-duplicates'");
+        }
+        else {
+            removeValueIgnoreCase("'allow-duplicates'");
+        }
+        allowDuplicates_ = allowDuplicates;
+    }
+
+    public boolean star() {
+        return star_;
+    }
+
+    public void setStar_(final boolean star) {
+        if (star_ == star) {
+            return;
+        }
+        if (star) {
+            addValue("*");
+        }
+        else {
+            removeValueIgnoreCase("*");
+        }
+        star_ = star;
+    }
+
+    public List<String> getPolicyNames_() {
+        return Collections.unmodifiableList(policyNames_);
+    }
+}