npm - es-module-shims - Versions diffs - 2.7.0 → 2.8.0 - Mend

es-module-shims 2.7.0 → 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +12 -1
package/dist/es-module-shims.debug.js +142 -119
package/dist/es-module-shims.js +136 -113
package/dist/es-module-shims.wasm.js +136 -113
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -31,7 +31,7 @@ Because we are still using the native module loader the edge cases work out comp
 Include ES Module Shims with a `async` attribute on the script, then include an import map and module scripts normally:
 ```html
-<script async src="https://ga.jspm.io/npm:es-module-shims@2.7.0/dist/es-module-shims.js"></script>
+<script async src="https://ga.jspm.io/npm:es-module-shims@2.8.0/dist/es-module-shims.js"></script>
 <!-- https://generator.jspm.io/#U2NhYGBkDM0rySzJSU1hKEpNTC5xMLTQM9Az0C1K1jMAAKFS5w0gAA -->
 <script type="importmap">
@@ -469,6 +469,17 @@ import pkg from 'pkg';
 </script>
 ```
+## Trusted Types Support
+ES Module Shims supports [Trusted Types](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API) a browser security feature that prevents DOM-based XSS attacks. When your CSP includes `require-trusted-types-for 'script'`, the library automatically creates a policy named `es-module-shims` to handle its internal script creation and source rewriting. Browsers without Trusted Types support fall back to standard behavior automatically.
+To enable it, add `es-module-shims` to your CSP's trusted-types directive. If you see errors about "TrustedScript assignment," you're missing this directive.
+```html
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; trusted-types es-module-shims;">
+```
 #### Wasm Build
 To use the Web Assembly / non-CSP build of ES Module Shims, this is available as a self-contained single file at `es-module-shims/wasm` or `es-module-shims/dist/es-module-shims.wasm.js` in the package folder.

package/dist/es-module-shims.debug.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/** ES Module Shims @version 2.7.0 */
+/** ES Module Shims @version 2.8.0 */
 (function () {
   const self_ = typeof globalThis !== 'undefined' ? globalThis : self;
@@ -181,7 +181,7 @@
   const esmsInitOptions = optionsScript ? JSON.parse(optionsScript.innerHTML) : {};
   Object.assign(esmsInitOptions, self_.esmsInitOptions || {});
-  const version = "2.7.0";
+  const version = "2.8.0";
   const r$1 = esmsInitOptions.version;
   if (self_.importShim || (r$1 && r$1 !== version)) {
@@ -490,123 +490,146 @@
     }
   };
-  // support browsers without dynamic import support (eg Firefox 6x)
-  let supportsJsonType = false;
-  let supportsCssType = false;
-  const supports = hasDocument && HTMLScriptElement.supports;
-  let supportsImportMaps = supports && supports.name === 'supports' && supports('importmap');
-  let supportsWasmInstancePhase = false;
-  let supportsWasmSourcePhase = false;
-  let supportsMultipleImportMaps = false;
-  const wasmBytes = [0, 97, 115, 109, 1, 0, 0, 0];
-  let featureDetectionPromise = (async function () {
-    if (!hasDocument)
-      return Promise.all([
-        import(createBlob(`import"${createBlob('{}', 'text/json')}"with{type:"json"}`)).then(
-          () => (
-            (supportsJsonType = true),
-            import(createBlob(`import"${createBlob('', 'text/css')}"with{type:"css"}`)).then(
-              () => (supportsCssType = true),
-              noop
-            )
-          ),
-          noop
-        ),
-        wasmInstancePhaseEnabled &&
-          import(createBlob(`import"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
-            () => (supportsWasmInstancePhase = true),
-            noop
-          ),
-        wasmSourcePhaseEnabled &&
-          import(createBlob(`import source x from"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
-            () => (supportsWasmSourcePhase = true),
-            noop
-          )
-      ]);
-    const msgTag = `s${version}`;
-    return new Promise(resolve => {
-      const iframe = document.createElement('iframe');
-      iframe.style.display = 'none';
-      iframe.setAttribute('nonce', nonce);
-      function cb({ data }) {
-        const isFeatureDetectionMessage = Array.isArray(data) && data[0] === msgTag;
-        if (!isFeatureDetectionMessage) return;
-        [
-          ,
-          supportsImportMaps,
-          supportsMultipleImportMaps,
-          supportsJsonType,
-          supportsCssType,
-          supportsWasmSourcePhase,
-          supportsWasmInstancePhase
-        ] = data;
-        resolve();
-        document.head.removeChild(iframe);
-        window.removeEventListener('message', cb, false);
-      }
-      window.addEventListener('message', cb, false);
-      // Feature checking with careful avoidance of unnecessary work - all gated on initial import map supports check. CSS gates on JSON feature check, Wasm instance phase gates on wasm source phase check.
-      const importMapTest = `<script nonce=${nonce || ''}>b=(s,type='text/javascript')=>URL.createObjectURL(new Blob([s],{type}));c=u=>import(u).then(()=>true,()=>false);i=innerText=>document.head.appendChild(Object.assign(document.createElement('script'),{type:'importmap',nonce:"${nonce}",innerText}));i(\`{"imports":{"x":"\${b('')}"}}\`);i(\`{"imports":{"y":"\${b('')}"}}\`);cm=${
-      supportsImportMaps && jsonModulesEnabled ? `c(b(\`import"\${b('{}','text/json')}"with{type:"json"}\`))` : 'false'
-    };sp=${
-      supportsImportMaps && wasmSourcePhaseEnabled ?
-        `c(b(\`import source x from "\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))`
-      : 'false'
-    };Promise.all([${supportsImportMaps ? 'true' : "c('x')"},${supportsImportMaps ? "c('y')" : false},cm,${
-      supportsImportMaps && cssModulesEnabled ?
-        `cm.then(s=>s?c(b(\`import"\${b('','text/css')\}"with{type:"css"}\`)):false)`
-      : 'false'
-    },sp,${
-      supportsImportMaps && wasmInstancePhaseEnabled ?
-        `${wasmSourcePhaseEnabled ? 'sp.then(s=>s?' : ''}c(b(\`import"\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))${wasmSourcePhaseEnabled ? ':false)' : ''}`
-      : 'false'
-    }]).then(a=>parent.postMessage(['${msgTag}'].concat(a),'*'))<${''}/script>`;
-      // Safari will call onload eagerly on head injection, but we don't want the Wechat
-      // path to trigger before setting srcdoc, therefore we track the timing
-      let readyForOnload = false,
-        onloadCalledWhileNotReady = false;
-      function doOnload() {
-        if (!readyForOnload) {
-          onloadCalledWhileNotReady = true;
-          return;
-        }
-        // WeChat browser doesn't support setting srcdoc scripts
-        // But iframe sandboxes don't support contentDocument so we do this as a fallback
-        const doc = iframe.contentDocument;
-        if (doc && doc.head.childNodes.length === 0) {
-          const s = doc.createElement('script');
-          if (nonce) s.setAttribute('nonce', nonce);
-          s.innerHTML = importMapTest.slice(15 + (nonce ? nonce.length : 0), -9);
-          doc.head.appendChild(s);
-        }
-      }
-      iframe.onload = doOnload;
-      // WeChat browser requires append before setting srcdoc
-      document.head.appendChild(iframe);
-      // setting srcdoc is not supported in React native webviews on iOS
-      // setting src to a blob URL results in a navigation event in webviews
-      // document.write gives usability warnings
-      readyForOnload = true;
-      if ('srcdoc' in iframe) iframe.srcdoc = importMapTest;
-      else iframe.contentDocument.write(importMapTest);
-      // retrigger onload for Safari only if necessary
-      if (onloadCalledWhileNotReady) doOnload();
-    });
-  })();
+  let policy;
+  if (typeof window.trustedTypes !== 'undefined' || typeof window.TrustedTypes !== 'undefined') {
+    try {
+      policy = (window.trustedTypes || window.TrustedTypes).createPolicy('es-module-shims', {
+        createHTML: html => html,
+        createScript: script => script
+      });
+    } catch {}
+  }
+  function maybeTrustedInnerHTML(html) {
+    return policy ? policy.createHTML(html) : html;
+  }
+  function maybeTrustedScript(script) {
+    return policy ? policy.createScript(script) : script;
+  }
-  featureDetectionPromise = featureDetectionPromise.then(() => {
-      console.info(
-        `es-module-shims: detected native support - module types: (${[...(supportsJsonType ? ['json'] : []), ...(supportsCssType ? ['css'] : []), ...(supportsWasmInstancePhase ? ['wasm'] : [])].join(', ')}), ${supportsWasmSourcePhase ? 'source phase' : 'no source phase'}, ${supportsMultipleImportMaps ? '' : 'no '}multiple import maps, ${supportsImportMaps ? '' : 'no '}import maps`
-      );
+  // support browsers without dynamic import support (eg Firefox 6x)
+  let supportsJsonType = false;
+  let supportsCssType = false;
+  const supports = hasDocument && HTMLScriptElement.supports;
+  let supportsImportMaps = supports && supports.name === 'supports' && supports('importmap');
+  let supportsWasmInstancePhase = false;
+  let supportsWasmSourcePhase = false;
+  let supportsMultipleImportMaps = false;
+  const wasmBytes = [0, 97, 115, 109, 1, 0, 0, 0];
+  let featureDetectionPromise = (async function () {
+    if (!hasDocument)
+      return Promise.all([
+        import(createBlob(`import"${createBlob('{}', 'text/json')}"with{type:"json"}`)).then(
+          () => (
+            (supportsJsonType = true),
+            import(createBlob(`import"${createBlob('', 'text/css')}"with{type:"css"}`)).then(
+              () => (supportsCssType = true),
+              noop
+            )
+          ),
+          noop
+        ),
+        wasmInstancePhaseEnabled &&
+          import(createBlob(`import"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
+            () => (supportsWasmInstancePhase = true),
+            noop
+          ),
+        wasmSourcePhaseEnabled &&
+          import(createBlob(`import source x from"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
+            () => (supportsWasmSourcePhase = true),
+            noop
+          )
+      ]);
+    const msgTag = `s${version}`;
+    return new Promise(resolve => {
+      const iframe = document.createElement('iframe');
+      iframe.style.display = 'none';
+      iframe.setAttribute('nonce', nonce);
+      function cb({ data }) {
+        const isFeatureDetectionMessage = Array.isArray(data) && data[0] === msgTag;
+        if (!isFeatureDetectionMessage) return;
+        [
+          ,
+          supportsImportMaps,
+          supportsMultipleImportMaps,
+          supportsJsonType,
+          supportsCssType,
+          supportsWasmSourcePhase,
+          supportsWasmInstancePhase
+        ] = data;
+        resolve();
+        document.head.removeChild(iframe);
+        window.removeEventListener('message', cb, false);
+      }
+      window.addEventListener('message', cb, false);
+      // Feature checking with careful avoidance of unnecessary work - all gated on initial import map supports check. CSS gates on JSON feature check, Wasm instance phase gates on wasm source phase check.
+      const importMapTest = `<script nonce=${nonce || ''}>${
+      policy ? 't=(window.trustedTypes||window.TrustedTypes).createPolicy("es-module-shims",{createScript:s=>s});' : ''
+    }b=(s,type='text/javascript')=>URL.createObjectURL(new Blob([s],{type}));c=u=>import(u).then(()=>true,()=>false);i=innerText=>${
+      policy ? 't.createScript(innerText=>' : ''
+    }document.head.appendChild(Object.assign(document.createElement('script'),{type:'importmap',nonce:"${nonce}",innerText}))${
+      policy ? ')' : ''
+    };i(\`{"imports":{"x":"\${b('')}"}}\`);i(\`{"imports":{"y":"\${b('')}"}}\`);cm=${
+      supportsImportMaps && jsonModulesEnabled ? `c(b(\`import"\${b('{}','text/json')}"with{type:"json"}\`))` : 'false'
+    };sp=${
+      supportsImportMaps && wasmSourcePhaseEnabled ?
+        `c(b(\`import source x from "\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))`
+      : 'false'
+    };Promise.all([${supportsImportMaps ? 'true' : "c('x')"},${supportsImportMaps ? "c('y')" : false},cm,${
+      supportsImportMaps && cssModulesEnabled ?
+        `cm.then(s=>s?c(b(\`import"\${b('','text/css')\}"with{type:"css"}\`)):false)`
+      : 'false'
+    },sp,${
+      supportsImportMaps && wasmInstancePhaseEnabled ?
+        `${wasmSourcePhaseEnabled ? 'sp.then(s=>s?' : ''}c(b(\`import"\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))${wasmSourcePhaseEnabled ? ':false)' : ''}`
+      : 'false'
+    }]).then(a=>parent.postMessage(['${msgTag}'].concat(a),'*'))<${''}/script>`;
+      // Safari will call onload eagerly on head injection, but we don't want the Wechat
+      // path to trigger before setting srcdoc, therefore we track the timing
+      let readyForOnload = false,
+        onloadCalledWhileNotReady = false;
+      function doOnload() {
+        if (!readyForOnload) {
+          onloadCalledWhileNotReady = true;
+          return;
+        }
+        // WeChat browser doesn't support setting srcdoc scripts
+        // But iframe sandboxes don't support contentDocument so we do this as a fallback
+        const doc = iframe.contentDocument;
+        if (doc && doc.head.childNodes.length === 0) {
+          const s = doc.createElement('script');
+          if (nonce) s.setAttribute('nonce', nonce);
+          s.innerText = maybeTrustedScript(importMapTest.slice(15 + (nonce ? nonce.length : 0), -9));
+          doc.head.appendChild(s);
+        }
+      }
+      iframe.onload = doOnload;
+      // WeChat browser requires append before setting srcdoc
+      document.head.appendChild(iframe);
+      // setting srcdoc is not supported in React native webviews on iOS
+      // setting src to a blob URL results in a navigation event in webviews
+      // document.write gives usability warnings
+      readyForOnload = true;
+      if ('srcdoc' in iframe) iframe.srcdoc = maybeTrustedInnerHTML(importMapTest);
+      else iframe.contentDocument.write(importMapTest);
+      // retrigger onload for Safari only if necessary
+      if (onloadCalledWhileNotReady) doOnload();
+    });
+  })();
+  featureDetectionPromise = featureDetectionPromise.then(() => {
+      console.info(
+        `es-module-shims: detected native support - module types: (${[...(supportsJsonType ? ['json'] : []), ...(supportsCssType ? ['css'] : []), ...(supportsWasmInstancePhase ? ['wasm'] : [])].join(', ')}), ${supportsWasmSourcePhase ? 'source phase' : 'no source phase'}, ${supportsMultipleImportMaps ? '' : 'no '}multiple import maps, ${supportsImportMaps ? '' : 'no '}import maps`
+      );
     });
   /* es-module-lexer 2.0.0 */
@@ -726,7 +749,7 @@
   // Ensure this version is the only version
   defineValue(self_, 'importShim', Object.freeze(importShim));
   const shimModeOptions = { ...esmsInitOptions, shimMode: true };
-  if (optionsScript) optionsScript.innerHTML = JSON.stringify(shimModeOptions);
+  if (optionsScript) optionsScript.innerText = maybeTrustedScript(JSON.stringify(shimModeOptions));
   self_.esmsInitOptions = shimModeOptions;
   const loadAll = async (load, seen) => {

package/dist/es-module-shims.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/** ES Module Shims @version 2.7.0 */
+/** ES Module Shims @version 2.8.0 */
 (function () {
   const self_ = typeof globalThis !== 'undefined' ? globalThis : self;
@@ -180,7 +180,7 @@
   const esmsInitOptions = optionsScript ? JSON.parse(optionsScript.innerHTML) : {};
   Object.assign(esmsInitOptions, self_.esmsInitOptions || {});
-  const version = "2.7.0";
+  const version = "2.8.0";
   const r$1 = esmsInitOptions.version;
   if (self_.importShim || (r$1 && r$1 !== version)) {
@@ -486,117 +486,140 @@
     }
   };
-  // support browsers without dynamic import support (eg Firefox 6x)
-  let supportsJsonType = false;
-  let supportsCssType = false;
-  const supports = hasDocument && HTMLScriptElement.supports;
-  let supportsImportMaps = supports && supports.name === 'supports' && supports('importmap');
-  let supportsWasmInstancePhase = false;
-  let supportsWasmSourcePhase = false;
-  let supportsMultipleImportMaps = false;
-  const wasmBytes = [0, 97, 115, 109, 1, 0, 0, 0];
-  let featureDetectionPromise = (async function () {
-    if (!hasDocument)
-      return Promise.all([
-        import(createBlob(`import"${createBlob('{}', 'text/json')}"with{type:"json"}`)).then(
-          () => (
-            (supportsJsonType = true),
-            import(createBlob(`import"${createBlob('', 'text/css')}"with{type:"css"}`)).then(
-              () => (supportsCssType = true),
-              noop
-            )
-          ),
-          noop
-        ),
-        wasmInstancePhaseEnabled &&
-          import(createBlob(`import"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
-            () => (supportsWasmInstancePhase = true),
-            noop
-          ),
-        wasmSourcePhaseEnabled &&
-          import(createBlob(`import source x from"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
-            () => (supportsWasmSourcePhase = true),
-            noop
-          )
-      ]);
-    const msgTag = `s${version}`;
-    return new Promise(resolve => {
-      const iframe = document.createElement('iframe');
-      iframe.style.display = 'none';
-      iframe.setAttribute('nonce', nonce);
-      function cb({ data }) {
-        const isFeatureDetectionMessage = Array.isArray(data) && data[0] === msgTag;
-        if (!isFeatureDetectionMessage) return;
-        [
-          ,
-          supportsImportMaps,
-          supportsMultipleImportMaps,
-          supportsJsonType,
-          supportsCssType,
-          supportsWasmSourcePhase,
-          supportsWasmInstancePhase
-        ] = data;
-        resolve();
-        document.head.removeChild(iframe);
-        window.removeEventListener('message', cb, false);
-      }
-      window.addEventListener('message', cb, false);
-      // Feature checking with careful avoidance of unnecessary work - all gated on initial import map supports check. CSS gates on JSON feature check, Wasm instance phase gates on wasm source phase check.
-      const importMapTest = `<script nonce=${nonce || ''}>b=(s,type='text/javascript')=>URL.createObjectURL(new Blob([s],{type}));c=u=>import(u).then(()=>true,()=>false);i=innerText=>document.head.appendChild(Object.assign(document.createElement('script'),{type:'importmap',nonce:"${nonce}",innerText}));i(\`{"imports":{"x":"\${b('')}"}}\`);i(\`{"imports":{"y":"\${b('')}"}}\`);cm=${
-      supportsImportMaps && jsonModulesEnabled ? `c(b(\`import"\${b('{}','text/json')}"with{type:"json"}\`))` : 'false'
-    };sp=${
-      supportsImportMaps && wasmSourcePhaseEnabled ?
-        `c(b(\`import source x from "\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))`
-      : 'false'
-    };Promise.all([${supportsImportMaps ? 'true' : "c('x')"},${supportsImportMaps ? "c('y')" : false},cm,${
-      supportsImportMaps && cssModulesEnabled ?
-        `cm.then(s=>s?c(b(\`import"\${b('','text/css')\}"with{type:"css"}\`)):false)`
-      : 'false'
-    },sp,${
-      supportsImportMaps && wasmInstancePhaseEnabled ?
-        `${wasmSourcePhaseEnabled ? 'sp.then(s=>s?' : ''}c(b(\`import"\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))${wasmSourcePhaseEnabled ? ':false)' : ''}`
-      : 'false'
-    }]).then(a=>parent.postMessage(['${msgTag}'].concat(a),'*'))<${''}/script>`;
-      // Safari will call onload eagerly on head injection, but we don't want the Wechat
-      // path to trigger before setting srcdoc, therefore we track the timing
-      let readyForOnload = false,
-        onloadCalledWhileNotReady = false;
-      function doOnload() {
-        if (!readyForOnload) {
-          onloadCalledWhileNotReady = true;
-          return;
-        }
-        // WeChat browser doesn't support setting srcdoc scripts
-        // But iframe sandboxes don't support contentDocument so we do this as a fallback
-        const doc = iframe.contentDocument;
-        if (doc && doc.head.childNodes.length === 0) {
-          const s = doc.createElement('script');
-          if (nonce) s.setAttribute('nonce', nonce);
-          s.innerHTML = importMapTest.slice(15 + (nonce ? nonce.length : 0), -9);
-          doc.head.appendChild(s);
-        }
-      }
-      iframe.onload = doOnload;
-      // WeChat browser requires append before setting srcdoc
-      document.head.appendChild(iframe);
+  let policy;
+  if (typeof window.trustedTypes !== 'undefined' || typeof window.TrustedTypes !== 'undefined') {
+    try {
+      policy = (window.trustedTypes || window.TrustedTypes).createPolicy('es-module-shims', {
+        createHTML: html => html,
+        createScript: script => script
+      });
+    } catch {}
+  }
+  function maybeTrustedInnerHTML(html) {
+    return policy ? policy.createHTML(html) : html;
+  }
+  function maybeTrustedScript(script) {
+    return policy ? policy.createScript(script) : script;
+  }
-      // setting srcdoc is not supported in React native webviews on iOS
-      // setting src to a blob URL results in a navigation event in webviews
-      // document.write gives usability warnings
-      readyForOnload = true;
-      if ('srcdoc' in iframe) iframe.srcdoc = importMapTest;
-      else iframe.contentDocument.write(importMapTest);
-      // retrigger onload for Safari only if necessary
-      if (onloadCalledWhileNotReady) doOnload();
-    });
+  // support browsers without dynamic import support (eg Firefox 6x)
+  let supportsJsonType = false;
+  let supportsCssType = false;
+  const supports = hasDocument && HTMLScriptElement.supports;
+  let supportsImportMaps = supports && supports.name === 'supports' && supports('importmap');
+  let supportsWasmInstancePhase = false;
+  let supportsWasmSourcePhase = false;
+  let supportsMultipleImportMaps = false;
+  const wasmBytes = [0, 97, 115, 109, 1, 0, 0, 0];
+  let featureDetectionPromise = (async function () {
+    if (!hasDocument)
+      return Promise.all([
+        import(createBlob(`import"${createBlob('{}', 'text/json')}"with{type:"json"}`)).then(
+          () => (
+            (supportsJsonType = true),
+            import(createBlob(`import"${createBlob('', 'text/css')}"with{type:"css"}`)).then(
+              () => (supportsCssType = true),
+              noop
+            )
+          ),
+          noop
+        ),
+        wasmInstancePhaseEnabled &&
+          import(createBlob(`import"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
+            () => (supportsWasmInstancePhase = true),
+            noop
+          ),
+        wasmSourcePhaseEnabled &&
+          import(createBlob(`import source x from"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
+            () => (supportsWasmSourcePhase = true),
+            noop
+          )
+      ]);
+    const msgTag = `s${version}`;
+    return new Promise(resolve => {
+      const iframe = document.createElement('iframe');
+      iframe.style.display = 'none';
+      iframe.setAttribute('nonce', nonce);
+      function cb({ data }) {
+        const isFeatureDetectionMessage = Array.isArray(data) && data[0] === msgTag;
+        if (!isFeatureDetectionMessage) return;
+        [
+          ,
+          supportsImportMaps,
+          supportsMultipleImportMaps,
+          supportsJsonType,
+          supportsCssType,
+          supportsWasmSourcePhase,
+          supportsWasmInstancePhase
+        ] = data;
+        resolve();
+        document.head.removeChild(iframe);
+        window.removeEventListener('message', cb, false);
+      }
+      window.addEventListener('message', cb, false);
+      // Feature checking with careful avoidance of unnecessary work - all gated on initial import map supports check. CSS gates on JSON feature check, Wasm instance phase gates on wasm source phase check.
+      const importMapTest = `<script nonce=${nonce || ''}>${
+      policy ? 't=(window.trustedTypes||window.TrustedTypes).createPolicy("es-module-shims",{createScript:s=>s});' : ''
+    }b=(s,type='text/javascript')=>URL.createObjectURL(new Blob([s],{type}));c=u=>import(u).then(()=>true,()=>false);i=innerText=>${
+      policy ? 't.createScript(innerText=>' : ''
+    }document.head.appendChild(Object.assign(document.createElement('script'),{type:'importmap',nonce:"${nonce}",innerText}))${
+      policy ? ')' : ''
+    };i(\`{"imports":{"x":"\${b('')}"}}\`);i(\`{"imports":{"y":"\${b('')}"}}\`);cm=${
+      supportsImportMaps && jsonModulesEnabled ? `c(b(\`import"\${b('{}','text/json')}"with{type:"json"}\`))` : 'false'
+    };sp=${
+      supportsImportMaps && wasmSourcePhaseEnabled ?
+        `c(b(\`import source x from "\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))`
+      : 'false'
+    };Promise.all([${supportsImportMaps ? 'true' : "c('x')"},${supportsImportMaps ? "c('y')" : false},cm,${
+      supportsImportMaps && cssModulesEnabled ?
+        `cm.then(s=>s?c(b(\`import"\${b('','text/css')\}"with{type:"css"}\`)):false)`
+      : 'false'
+    },sp,${
+      supportsImportMaps && wasmInstancePhaseEnabled ?
+        `${wasmSourcePhaseEnabled ? 'sp.then(s=>s?' : ''}c(b(\`import"\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))${wasmSourcePhaseEnabled ? ':false)' : ''}`
+      : 'false'
+    }]).then(a=>parent.postMessage(['${msgTag}'].concat(a),'*'))<${''}/script>`;
+      // Safari will call onload eagerly on head injection, but we don't want the Wechat
+      // path to trigger before setting srcdoc, therefore we track the timing
+      let readyForOnload = false,
+        onloadCalledWhileNotReady = false;
+      function doOnload() {
+        if (!readyForOnload) {
+          onloadCalledWhileNotReady = true;
+          return;
+        }
+        // WeChat browser doesn't support setting srcdoc scripts
+        // But iframe sandboxes don't support contentDocument so we do this as a fallback
+        const doc = iframe.contentDocument;
+        if (doc && doc.head.childNodes.length === 0) {
+          const s = doc.createElement('script');
+          if (nonce) s.setAttribute('nonce', nonce);
+          s.innerText = maybeTrustedScript(importMapTest.slice(15 + (nonce ? nonce.length : 0), -9));
+          doc.head.appendChild(s);
+        }
+      }
+      iframe.onload = doOnload;
+      // WeChat browser requires append before setting srcdoc
+      document.head.appendChild(iframe);
+      // setting srcdoc is not supported in React native webviews on iOS
+      // setting src to a blob URL results in a navigation event in webviews
+      // document.write gives usability warnings
+      readyForOnload = true;
+      if ('srcdoc' in iframe) iframe.srcdoc = maybeTrustedInnerHTML(importMapTest);
+      else iframe.contentDocument.write(importMapTest);
+      // retrigger onload for Safari only if necessary
+      if (onloadCalledWhileNotReady) doOnload();
+    });
   })();
   /* es-module-lexer 2.0.0 */
@@ -714,7 +737,7 @@
   // Ensure this version is the only version
   defineValue(self_, 'importShim', Object.freeze(importShim));
   const shimModeOptions = { ...esmsInitOptions, shimMode: true };
-  if (optionsScript) optionsScript.innerHTML = JSON.stringify(shimModeOptions);
+  if (optionsScript) optionsScript.innerText = maybeTrustedScript(JSON.stringify(shimModeOptions));
   self_.esmsInitOptions = shimModeOptions;
   const loadAll = async (load, seen) => {

package/dist/es-module-shims.wasm.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/** ES Module Shims Wasm @version 2.7.0 */
+/** ES Module Shims Wasm @version 2.8.0 */
 (function () {
   const self_ = typeof globalThis !== 'undefined' ? globalThis : self;
@@ -180,7 +180,7 @@
   const esmsInitOptions = optionsScript ? JSON.parse(optionsScript.innerHTML) : {};
   Object.assign(esmsInitOptions, self_.esmsInitOptions || {});
-  const version = "2.7.0";
+  const version = "2.8.0";
   const r = esmsInitOptions.version;
   if (self_.importShim || (r && r !== version)) {
@@ -486,117 +486,140 @@
     }
   };
-  // support browsers without dynamic import support (eg Firefox 6x)
-  let supportsJsonType = false;
-  let supportsCssType = false;
-  const supports = hasDocument && HTMLScriptElement.supports;
-  let supportsImportMaps = supports && supports.name === 'supports' && supports('importmap');
-  let supportsWasmInstancePhase = false;
-  let supportsWasmSourcePhase = false;
-  let supportsMultipleImportMaps = false;
-  const wasmBytes = [0, 97, 115, 109, 1, 0, 0, 0];
-  let featureDetectionPromise = (async function () {
-    if (!hasDocument)
-      return Promise.all([
-        import(createBlob(`import"${createBlob('{}', 'text/json')}"with{type:"json"}`)).then(
-          () => (
-            (supportsJsonType = true),
-            import(createBlob(`import"${createBlob('', 'text/css')}"with{type:"css"}`)).then(
-              () => (supportsCssType = true),
-              noop
-            )
-          ),
-          noop
-        ),
-        wasmInstancePhaseEnabled &&
-          import(createBlob(`import"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
-            () => (supportsWasmInstancePhase = true),
-            noop
-          ),
-        wasmSourcePhaseEnabled &&
-          import(createBlob(`import source x from"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
-            () => (supportsWasmSourcePhase = true),
-            noop
-          )
-      ]);
-    const msgTag = `s${version}`;
-    return new Promise(resolve => {
-      const iframe = document.createElement('iframe');
-      iframe.style.display = 'none';
-      iframe.setAttribute('nonce', nonce);
-      function cb({ data }) {
-        const isFeatureDetectionMessage = Array.isArray(data) && data[0] === msgTag;
-        if (!isFeatureDetectionMessage) return;
-        [
-          ,
-          supportsImportMaps,
-          supportsMultipleImportMaps,
-          supportsJsonType,
-          supportsCssType,
-          supportsWasmSourcePhase,
-          supportsWasmInstancePhase
-        ] = data;
-        resolve();
-        document.head.removeChild(iframe);
-        window.removeEventListener('message', cb, false);
-      }
-      window.addEventListener('message', cb, false);
-      // Feature checking with careful avoidance of unnecessary work - all gated on initial import map supports check. CSS gates on JSON feature check, Wasm instance phase gates on wasm source phase check.
-      const importMapTest = `<script nonce=${nonce || ''}>b=(s,type='text/javascript')=>URL.createObjectURL(new Blob([s],{type}));c=u=>import(u).then(()=>true,()=>false);i=innerText=>document.head.appendChild(Object.assign(document.createElement('script'),{type:'importmap',nonce:"${nonce}",innerText}));i(\`{"imports":{"x":"\${b('')}"}}\`);i(\`{"imports":{"y":"\${b('')}"}}\`);cm=${
-      supportsImportMaps && jsonModulesEnabled ? `c(b(\`import"\${b('{}','text/json')}"with{type:"json"}\`))` : 'false'
-    };sp=${
-      supportsImportMaps && wasmSourcePhaseEnabled ?
-        `c(b(\`import source x from "\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))`
-      : 'false'
-    };Promise.all([${supportsImportMaps ? 'true' : "c('x')"},${supportsImportMaps ? "c('y')" : false},cm,${
-      supportsImportMaps && cssModulesEnabled ?
-        `cm.then(s=>s?c(b(\`import"\${b('','text/css')\}"with{type:"css"}\`)):false)`
-      : 'false'
-    },sp,${
-      supportsImportMaps && wasmInstancePhaseEnabled ?
-        `${wasmSourcePhaseEnabled ? 'sp.then(s=>s?' : ''}c(b(\`import"\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))${wasmSourcePhaseEnabled ? ':false)' : ''}`
-      : 'false'
-    }]).then(a=>parent.postMessage(['${msgTag}'].concat(a),'*'))<${''}/script>`;
-      // Safari will call onload eagerly on head injection, but we don't want the Wechat
-      // path to trigger before setting srcdoc, therefore we track the timing
-      let readyForOnload = false,
-        onloadCalledWhileNotReady = false;
-      function doOnload() {
-        if (!readyForOnload) {
-          onloadCalledWhileNotReady = true;
-          return;
-        }
-        // WeChat browser doesn't support setting srcdoc scripts
-        // But iframe sandboxes don't support contentDocument so we do this as a fallback
-        const doc = iframe.contentDocument;
-        if (doc && doc.head.childNodes.length === 0) {
-          const s = doc.createElement('script');
-          if (nonce) s.setAttribute('nonce', nonce);
-          s.innerHTML = importMapTest.slice(15 + (nonce ? nonce.length : 0), -9);
-          doc.head.appendChild(s);
-        }
-      }
-      iframe.onload = doOnload;
-      // WeChat browser requires append before setting srcdoc
-      document.head.appendChild(iframe);
+  let policy;
+  if (typeof window.trustedTypes !== 'undefined' || typeof window.TrustedTypes !== 'undefined') {
+    try {
+      policy = (window.trustedTypes || window.TrustedTypes).createPolicy('es-module-shims', {
+        createHTML: html => html,
+        createScript: script => script
+      });
+    } catch {}
+  }
+  function maybeTrustedInnerHTML(html) {
+    return policy ? policy.createHTML(html) : html;
+  }
+  function maybeTrustedScript(script) {
+    return policy ? policy.createScript(script) : script;
+  }
-      // setting srcdoc is not supported in React native webviews on iOS
-      // setting src to a blob URL results in a navigation event in webviews
-      // document.write gives usability warnings
-      readyForOnload = true;
-      if ('srcdoc' in iframe) iframe.srcdoc = importMapTest;
-      else iframe.contentDocument.write(importMapTest);
-      // retrigger onload for Safari only if necessary
-      if (onloadCalledWhileNotReady) doOnload();
-    });
+  // support browsers without dynamic import support (eg Firefox 6x)
+  let supportsJsonType = false;
+  let supportsCssType = false;
+  const supports = hasDocument && HTMLScriptElement.supports;
+  let supportsImportMaps = supports && supports.name === 'supports' && supports('importmap');
+  let supportsWasmInstancePhase = false;
+  let supportsWasmSourcePhase = false;
+  let supportsMultipleImportMaps = false;
+  const wasmBytes = [0, 97, 115, 109, 1, 0, 0, 0];
+  let featureDetectionPromise = (async function () {
+    if (!hasDocument)
+      return Promise.all([
+        import(createBlob(`import"${createBlob('{}', 'text/json')}"with{type:"json"}`)).then(
+          () => (
+            (supportsJsonType = true),
+            import(createBlob(`import"${createBlob('', 'text/css')}"with{type:"css"}`)).then(
+              () => (supportsCssType = true),
+              noop
+            )
+          ),
+          noop
+        ),
+        wasmInstancePhaseEnabled &&
+          import(createBlob(`import"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
+            () => (supportsWasmInstancePhase = true),
+            noop
+          ),
+        wasmSourcePhaseEnabled &&
+          import(createBlob(`import source x from"${createBlob(new Uint8Array(wasmBytes), 'application/wasm')}"`)).then(
+            () => (supportsWasmSourcePhase = true),
+            noop
+          )
+      ]);
+    const msgTag = `s${version}`;
+    return new Promise(resolve => {
+      const iframe = document.createElement('iframe');
+      iframe.style.display = 'none';
+      iframe.setAttribute('nonce', nonce);
+      function cb({ data }) {
+        const isFeatureDetectionMessage = Array.isArray(data) && data[0] === msgTag;
+        if (!isFeatureDetectionMessage) return;
+        [
+          ,
+          supportsImportMaps,
+          supportsMultipleImportMaps,
+          supportsJsonType,
+          supportsCssType,
+          supportsWasmSourcePhase,
+          supportsWasmInstancePhase
+        ] = data;
+        resolve();
+        document.head.removeChild(iframe);
+        window.removeEventListener('message', cb, false);
+      }
+      window.addEventListener('message', cb, false);
+      // Feature checking with careful avoidance of unnecessary work - all gated on initial import map supports check. CSS gates on JSON feature check, Wasm instance phase gates on wasm source phase check.
+      const importMapTest = `<script nonce=${nonce || ''}>${
+      policy ? 't=(window.trustedTypes||window.TrustedTypes).createPolicy("es-module-shims",{createScript:s=>s});' : ''
+    }b=(s,type='text/javascript')=>URL.createObjectURL(new Blob([s],{type}));c=u=>import(u).then(()=>true,()=>false);i=innerText=>${
+      policy ? 't.createScript(innerText=>' : ''
+    }document.head.appendChild(Object.assign(document.createElement('script'),{type:'importmap',nonce:"${nonce}",innerText}))${
+      policy ? ')' : ''
+    };i(\`{"imports":{"x":"\${b('')}"}}\`);i(\`{"imports":{"y":"\${b('')}"}}\`);cm=${
+      supportsImportMaps && jsonModulesEnabled ? `c(b(\`import"\${b('{}','text/json')}"with{type:"json"}\`))` : 'false'
+    };sp=${
+      supportsImportMaps && wasmSourcePhaseEnabled ?
+        `c(b(\`import source x from "\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))`
+      : 'false'
+    };Promise.all([${supportsImportMaps ? 'true' : "c('x')"},${supportsImportMaps ? "c('y')" : false},cm,${
+      supportsImportMaps && cssModulesEnabled ?
+        `cm.then(s=>s?c(b(\`import"\${b('','text/css')\}"with{type:"css"}\`)):false)`
+      : 'false'
+    },sp,${
+      supportsImportMaps && wasmInstancePhaseEnabled ?
+        `${wasmSourcePhaseEnabled ? 'sp.then(s=>s?' : ''}c(b(\`import"\${b(new Uint8Array(${JSON.stringify(wasmBytes)}),'application/wasm')\}"\`))${wasmSourcePhaseEnabled ? ':false)' : ''}`
+      : 'false'
+    }]).then(a=>parent.postMessage(['${msgTag}'].concat(a),'*'))<${''}/script>`;
+      // Safari will call onload eagerly on head injection, but we don't want the Wechat
+      // path to trigger before setting srcdoc, therefore we track the timing
+      let readyForOnload = false,
+        onloadCalledWhileNotReady = false;
+      function doOnload() {
+        if (!readyForOnload) {
+          onloadCalledWhileNotReady = true;
+          return;
+        }
+        // WeChat browser doesn't support setting srcdoc scripts
+        // But iframe sandboxes don't support contentDocument so we do this as a fallback
+        const doc = iframe.contentDocument;
+        if (doc && doc.head.childNodes.length === 0) {
+          const s = doc.createElement('script');
+          if (nonce) s.setAttribute('nonce', nonce);
+          s.innerText = maybeTrustedScript(importMapTest.slice(15 + (nonce ? nonce.length : 0), -9));
+          doc.head.appendChild(s);
+        }
+      }
+      iframe.onload = doOnload;
+      // WeChat browser requires append before setting srcdoc
+      document.head.appendChild(iframe);
+      // setting srcdoc is not supported in React native webviews on iOS
+      // setting src to a blob URL results in a navigation event in webviews
+      // document.write gives usability warnings
+      readyForOnload = true;
+      if ('srcdoc' in iframe) iframe.srcdoc = maybeTrustedInnerHTML(importMapTest);
+      else iframe.contentDocument.write(importMapTest);
+      // retrigger onload for Safari only if necessary
+      if (onloadCalledWhileNotReady) doOnload();
+    });
   })();
   /* es-module-lexer 2.0.0 */
@@ -714,7 +737,7 @@
   // Ensure this version is the only version
   defineValue(self_, 'importShim', Object.freeze(importShim));
   const shimModeOptions = { ...esmsInitOptions, shimMode: true };
-  if (optionsScript) optionsScript.innerHTML = JSON.stringify(shimModeOptions);
+  if (optionsScript) optionsScript.innerText = maybeTrustedScript(JSON.stringify(shimModeOptions));
   self_.esmsInitOptions = shimModeOptions;
   const loadAll = async (load, seen) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "es-module-shims",
-  "version": "2.7.0",
+  "version": "2.8.0",
   "description": "Shims for the latest ES module features",
   "main": "dist/es-module-shims.js",
   "exports": {