feat: support trusted types for script injection

mgechev · mgechev · commit d903513c86c1 · 2021-10-18T16:24:42.000-07:00
diff --git a/projects/shell-chrome/src/inject.ts b/projects/shell-chrome/src/inject.ts
@@ -1,28 +1,42 @@
-export const injectScripts = (scripts: string[], cb?: () => void) => {
-  let injected = 0;
-  scripts.forEach(s =>
-    injectScript(chrome.runtime.getURL(s), () => {
-      injected++;
-      if (injected === scripts.length && cb) {
-        cb();
-      }
+const loadScripts = (urls: string[]) => {
+  return urls
+    .map((url, idx) => {
+      return `
+      const script${idx} = document.constructor.prototype.createElement.call(document, 'script');
+      script${idx}.src = getScriptName("${url}");
+      document.documentElement.appendChild(script${idx});
+      script${idx}.parentNode.removeChild(script${idx});
+    `;
     })
-  );
+    .join('\n');
 };
 
-const injectScript = (scriptName: string, cb: () => void) => {
-  const src = `
-    (function() {
-      var script = document.constructor.prototype.createElement.call(document, 'script');
-      script.src = "${scriptName}";
-      document.documentElement.appendChild(script);
-      script.parentNode.removeChild(script);
-    })()
+let loaded = false;
+export const injectScripts = (urls: string[], cb?: () => void) => {
+  if (loaded) {
+    // Not throwing a hard error here, because we don't want to stop the
+    // execution when folks are not using Trusted Types or when they have
+    // allowed redeclaration of a security policy.
+    console.error('Trying to reinject scripts');
+  }
+  loaded = true;
+  urls = urls.map((s) => chrome.runtime.getURL(s));
+  const script = `
+  (function () {
+    let policy = null;
+    if (window.trustedTypes && window.trustedTypes.createPolicy) {
+      policy = window.trustedTypes.createPolicy('angular#devtools', {
+        createScriptURL: url => ${JSON.stringify(urls)}.indexOf(url) >= 0 ? url : null
+      });
+    }
+    const getScriptName = name => policy ? policy.createScriptURL(name) : name;
+    ${loadScripts(urls)}
+  })();
   `;
-  chrome.devtools.inspectedWindow.eval(src, (_, err) => {
+  chrome.devtools.inspectedWindow.eval(script, (_, err) => {
     if (err) {
       console.log(err);
     }
-    cb();
+    cb?.();
   });
 };
