Skip to content

[fix]: Add support for TrustedTypes in Svelte #16271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[fix]: Add support for TrustedTypes in Svelte #16271

wants to merge 2 commits into from
+32 −1

Conversation

fallaciousreasoning
Copy link
Contributor

@fallaciousreasoning fallaciousreasoning commented Jul 1, 2025
edited
Loading

Before submitting the PR, please make sure you do the following

Resolves #14438
Resolves #10826

This PR makes it possible to use Svelte on pages which require TrustedTypes support via their CSP by wrapping assignments to innerHTML in a TrustedTypePolicy called svelte-trusted-html if the TrustedTypes API exists.

Servers can allowlist the policy by setting require-trusted-types-for 'script'; trusted-types svelte-trusted-html in their Content-Security-Policy header.

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • Prefix your PR title with feat:, fix:, chore:, or docs:.
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.
  • If this PR changes code within packages/svelte/src, add a changeset (npx changeset).

Tests and linting

Note: I haven't run the tests since I don't have pnpm setup properly.

I have tested that:

  1. A project with a CSP fails with Tip of Tree Svelte
  2. That project works when installing this revision of Svelte
  3. The project (with this revision) works in Browsers with no TrustedTypes support (i.e. Firefox, Safari)
  • Run the tests with pnpm test and lint the project with pnpm lint

My test project is here: https://github.com/fallaciousreasoning/svelte-tt-test/blob/master/src/routes/%2Bpage.server.js

The only changes to the default project is adding the CSP in src/routes/page.server.js

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 1, 2025
edited
Loading

🦋 Changeset detected

Latest commit: b3ba3c7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
svelte Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@svelte-docs-bot
Copy link

Preview: https://svelte-dev-git-preview-svelte-16271-svelte.vercel.app/

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 1, 2025

Playground

pnpm add https://pkg.pr.new/svelte@16271

@7nik
Copy link
Contributor

7nik commented Jul 1, 2025

Btw, I think configuring CSP should be added to the docs. Or adding trusted-types svelte-trusted-html integrated to SvelteKit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@fallaciousreasoning @7nik