[Feature Contribution] Extending CSP to include Trusted-Types headers

[henrym2]

Hi Nelmio Team,

I wanted to open a discussion with respect to extending the current CSP module to include support for trusted-types and require-trusted-types-for headers. Although both Symfony and the NelmioSecurityBundle have little to no control over the JavaScript embedded on the sites that use them, extending the configuration for CSP to include these new directives will hopefully empower developers to make use of the new features provided by them.

Trusted Types hopes to limit the number of potential DOM XSS sinks in an application by instead replacing them with Trusted HTML types. Some documentation on the extent of the trusted Types feature can be found here and an article detailing the benifits and reductions to DOM based XSS provider can be found here.

I've made a rough implementation of this on a fork of the bundle and would like to know if you would be receptive to me opening a PR referencing it.

Thanks!

[thedustin]

Stumbled upon this, while moving our CSP configuration to Symfony, to have more control over it.
Are there any plans to discuss this or even to merge this pull request? 👀

[henrym2]

I'd be happy to bring it up to date if I could get a review of it 😅 - But it has been about two years since it was opened and so far the Nelmio bundle team hasn't interacted with the inclusion
https://github.com/nelmio/NelmioSecurityBundle/pull/235/files

[Seldaek]

Yeah sorry there's hardly anyone here with bandwidth to maintain the bundle.. The PR looks fine to me at first glance but I'm kinda worried of just merging random stuff without fully understanding them given the security aspects of this bundle.