chromium/ash/webui/camera_app_ui/resources/js/trusted_script_url_policy_util.ts

// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

import {assertExists} from './assert.js';
import {expandPath} from './util.js';


// Trusted script URLs used by the Camera app.
const ALLOWED_SCRIPT_URLS = new Set([
  '/js/test_bridge.js',
  '/js/main.js',
  '/js/models/barcode_worker.js',
  '/js/multi_window_manager.js',
].map(expandPath));

// Create a TrustedTypes script URL policy from a list of allowed sources.
const trustedScriptUrlPolicy =
    assertExists(window.trustedTypes)
        .createPolicy('camera-app-trusted-script', {
          createScriptURL: (url: string) => {
            if (!ALLOWED_SCRIPT_URLS.has(url)) {
              throw new Error('Script URL not allowed: ' + url);
            }
            return url;
          },
        });

/**
 * Create a TrustedTypes script URL policy from a list of allowed sources, and
 * return a sanitized script URL using this policy.
 *
 * TODO(crbug.com/1466042): Change the return type to `TrustedScriptURL` once
 * Worker/SharedWorker ts type and setAttribute() accept `TrustedScriptURL`.
 *
 * @param url Script URL to be sanitized.
 */
export function getSanitizedScriptUrl(url: string): string {
  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
  return assertExists(trustedScriptUrlPolicy)
             .createScriptURL(expandPath(url)) as unknown as string;
}