lighthouse 12.7.1-dev.20250705 → 12.7.1-dev.20250707

package/cli/test/smokehouse/core-tests.js

@@ -66,6 +66,8 @@ import serviceWorkerReloaded from './test-definitions/service-worker-reloaded.js
 import shiftAttribution from './test-definitions/shift-attribution.js';
 import sourceMaps from './test-definitions/source-maps.js';
 import timing from './test-definitions/timing.js';
+import trustedTypesDirectivePresent from './test-definitions/trusted-types-directive-present.js';
+import trustedTypesDirectiveMissingDirective from './test-definitions/trusted-types-missing-directives.js';
 
 /** @type {ReadonlyArray<Smokehouse.TestDfn>} */
 const smokeTests = [
@@ -131,6 +133,8 @@ const smokeTests = [
   shiftAttribution,
   sourceMaps,
   timing,
+  trustedTypesDirectivePresent,
+  trustedTypesDirectiveMissingDirective,
 ];
 
 export default smokeTests;

package/core/audits/trusted-types-xss.d.ts

@@ -0,0 +1,41 @@
+export default TrustedTypesXss;
+declare class TrustedTypesXss extends Audit {
+    /**
+     * @param {LH.Artifacts} artifacts
+     * @param {LH.Audit.Context} context
+     * @return {Promise<{cspHeaders: string[], cspMetaTags: string[]}>}
+     */
+    static getRawCsps(artifacts: LH.Artifacts, context: LH.Audit.Context): Promise<{
+        cspHeaders: string[];
+        cspMetaTags: string[];
+    }>;
+    /**
+     * @param {LH.IcuMessage | string} findingDescription
+     * @param {LH.IcuMessage=} severity
+     * @return {LH.Audit.Details.TableItem}
+     */
+    static findingToTableItem(findingDescription: LH.IcuMessage | string, severity?: LH.IcuMessage | undefined): LH.Audit.Details.TableItem;
+    /**
+     * @param {string[]} cspHeaders
+     * @param {string[]} cspMetaTags
+     * @return {{score: number, results: LH.Audit.Details.TableItem[]}}
+     */
+    static constructResults(cspHeaders: string[], cspMetaTags: string[]): {
+        score: number;
+        results: LH.Audit.Details.TableItem[];
+    };
+    /**
+     * @param {LH.Artifacts} artifacts
+     * @param {LH.Audit.Context} context
+     * @return {Promise<LH.Audit.Product>}
+     */
+    static audit(artifacts: LH.Artifacts, context: LH.Audit.Context): Promise<LH.Audit.Product>;
+}
+export namespace UIStrings {
+    let title: string;
+    let description: string;
+    let noTrustedTypesToMitigateXss: string;
+    let columnSeverity: string;
+}
+import { Audit } from './audit.js';
+//# sourceMappingURL=trusted-types-xss.d.ts.map

package/core/audits/trusted-types-xss.js

@@ -0,0 +1,137 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import {Directive} from 'csp_evaluator/dist/csp.js';
+
+import {Audit} from './audit.js';
+import {MainResource} from '../computed/main-resource.js';
+import * as i18n from '../lib/i18n/i18n.js';
+import {parseCsp} from '../lib/csp-evaluator.js';
+
+const UIStrings = {
+  /** Title of a Lighthouse audit that evaluates whether the set CSP header and Trusted Types directive is mitigating DOM-based XSS. "CSP" stands for "Content-Security-Policy" and should not be translated. "XSS" stands for "Cross Site Scripting" and should not be translated. */
+  title: 'Mitigate DOM-based XSS with Trusted Types',
+  /** Description of a Lighthouse audit that evaluates whether the set CSP header and Trusted Types directive is mitigating DOM-based XSS. This is displayed after a user expands the section to see more. "CSP" stands for "Content-Security-Policy" and should not be translated. "XSS" stands for "Cross Site Scripting" and should not be translated. No character length limits. The last sentence starting with 'Learn' becomes link text to additional documentation. */
+  description:
+      'The `require-trusted-types-for` directive in the `Content-Security-Policy` (CSP) header ' +
+      'instructs user agents to control the data passed to DOM XSS sink functions. ' +
+      '[Learn more about mitigating DOM-based XSS with Trusted Types](https://web.dev/articles/trusted-types).',
+  /** Summary text for the results of a Lighthouse audit that evaluates whether the set CSP header and Trusted Types directive is mitigating DOM-based XSS. This text is displayed if the page does not respond with a CSP header and a Trusted Types directive. "CSP" stands for "Content-Security-Policy" and should not be translated. "XSS" stands for "Cross Site Scripting" and should not be translated. */
+  noTrustedTypesToMitigateXss:
+      'No `Content-Security-Policy` header with Trusted Types directive found',
+  /** Label for a column in a data table; entries will be the severity of an issue with the page's CSP and Trusted Types directive. */
+  columnSeverity: 'Severity',
+};
+
+const str_ = i18n.createIcuMessageFn(import.meta.url, UIStrings);
+
+class TrustedTypesXss extends Audit {
+  /**
+   * @return {LH.Audit.Meta}
+   */
+  static get meta() {
+    return {
+      id: 'trusted-types-xss',
+      scoreDisplayMode: Audit.SCORING_MODES.INFORMATIVE,
+      title: str_(UIStrings.title),
+      description: str_(UIStrings.description),
+      requiredArtifacts: ['DevtoolsLog', 'MetaElements', 'URL'],
+      supportedModes: ['navigation'],
+    };
+  }
+
+  /**
+   * @param {LH.Artifacts} artifacts
+   * @param {LH.Audit.Context} context
+   * @return {Promise<{cspHeaders: string[], cspMetaTags: string[]}>}
+   */
+  static async getRawCsps(artifacts, context) {
+    const devtoolsLog = artifacts.DevtoolsLog;
+    const mainResource = await MainResource.request({devtoolsLog, URL: artifacts.URL}, context);
+
+    const cspMetaTags = artifacts.MetaElements
+      .filter(m => {
+        return m.httpEquiv && m.httpEquiv.toLowerCase() === 'content-security-policy';
+      })
+      .flatMap(m => (m.content || '').split(','))
+      .filter(rawCsp => rawCsp.replace(/\s/g, ''));
+    const cspHeaders = mainResource.responseHeaders
+      .filter(h => {
+        return h.name.toLowerCase() === 'content-security-policy';
+      })
+      .flatMap(h => h.value.split(','))
+      .filter(rawCsp => rawCsp.replace(/\s/g, ''));
+
+    return {cspHeaders, cspMetaTags};
+  }
+
+  /**
+   * @param {LH.IcuMessage | string} findingDescription
+   * @param {LH.IcuMessage=} severity
+   * @return {LH.Audit.Details.TableItem}
+   */
+  static findingToTableItem(findingDescription, severity) {
+    return {
+      description: findingDescription,
+      severity,
+    };
+  }
+
+  /**
+   * @param {string[]} cspHeaders
+   * @param {string[]} cspMetaTags
+   * @return {{score: number, results: LH.Audit.Details.TableItem[]}}
+   */
+  static constructResults(cspHeaders, cspMetaTags) {
+    const rawCsps = [...cspHeaders, ...cspMetaTags];
+    const parsedCsps = rawCsps.map(parseCsp);
+
+    // Check for require-trusted-types-for 'script' in CSP.
+    for (const pc of parsedCsps) {
+      const directiveValues = pc.directives[pc.getEffectiveDirective(
+                                  Directive.REQUIRE_TRUSTED_TYPES_FOR)] || [];
+      if (directiveValues.includes('\'script\'')) {
+        return {score: 1, results: []};
+      }
+    }
+
+    return {
+      score: 0,
+      results: [{
+        severity: str_(i18n.UIStrings.itemSeverityHigh),
+        description: str_(UIStrings.noTrustedTypesToMitigateXss),
+      }],
+    };
+  }
+
+  /**
+   * @param {LH.Artifacts} artifacts
+   * @param {LH.Audit.Context} context
+   * @return {Promise<LH.Audit.Product>}
+   */
+  static async audit(artifacts, context) {
+    const {cspHeaders, cspMetaTags} = await this.getRawCsps(artifacts, context);
+    const {score, results} = this.constructResults(cspHeaders, cspMetaTags);
+
+    /** @type {LH.Audit.Details.Table['headings']} */
+    const headings = [
+      /* eslint-disable max-len */
+      {key: 'description', valueType: 'text', subItemsHeading: {key: 'description'}, label: str_(i18n.UIStrings.columnDescription)},
+      {key: 'severity', valueType: 'text', subItemsHeading: {key: 'severity'}, label: str_(UIStrings.columnSeverity)},
+      /* eslint-enable max-len */
+    ];
+    const details = Audit.makeTableDetails(headings, results);
+
+    return {
+      score,
+      notApplicable: !results.length,
+      details,
+    };
+  }
+}
+
+export default TrustedTypesXss;
+export {UIStrings};

package/core/config/default-config.js

@@ -198,6 +198,7 @@ const defaultConfig = {
     'has-hsts',
     'origin-isolation',
     'clickjacking-mitigation',
+    'trusted-types-xss',
     'script-treemap-data',
     'accessibility/accesskeys',
     'accessibility/aria-allowed-attr',
@@ -590,6 +591,7 @@ const defaultConfig = {
         {id: 'has-hsts', weight: 0, group: 'best-practices-trust-safety'},
         {id: 'origin-isolation', weight: 0, group: 'best-practices-trust-safety'},
         {id: 'clickjacking-mitigation', weight: 0, group: 'best-practices-trust-safety'},
+        {id: 'trusted-types-xss', weight: 0, group: 'best-practices-trust-safety'},
         // User Experience
         {id: 'paste-preventing-inputs', weight: 3, group: 'best-practices-ux'},
         {id: 'image-aspect-ratio', weight: 1, group: 'best-practices-ux'},

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "lighthouse",
   "type": "module",
-  "version": "12.7.1-dev.20250705",
+  "version": "12.7.1-dev.20250707",
   "description": "Automated auditing, performance metrics, and best practices for the web.",
   "main": "./core/index.js",
   "bin": {

package/shared/localization/locales/en-US.json

@@ -1493,6 +1493,18 @@
   "core/audits/third-party-summary.js | title": {
     "message": "Minimize third-party usage"
   },
+  "core/audits/trusted-types-xss.js | columnSeverity": {
+    "message": "Severity"
+  },
+  "core/audits/trusted-types-xss.js | description": {
+    "message": "The `require-trusted-types-for` directive in the `Content-Security-Policy` (CSP) header instructs user agents to control the data passed to DOM XSS sink functions. [Learn more about mitigating DOM-based XSS with Trusted Types](https://web.dev/articles/trusted-types)."
+  },
+  "core/audits/trusted-types-xss.js | noTrustedTypesToMitigateXss": {
+    "message": "No `Content-Security-Policy` header with Trusted Types directive found"
+  },
+  "core/audits/trusted-types-xss.js | title": {
+    "message": "Mitigate DOM-based XSS with Trusted Types"
+  },
   "core/audits/unsized-images.js | description": {
     "message": "Set an explicit width and height on image elements to reduce layout shifts and improve CLS. [Learn how to set image dimensions](https://web.dev/articles/optimize-cls#images_without_dimensions)"
   },

package/shared/localization/locales/en-XL.json

@@ -1493,6 +1493,18 @@
   "core/audits/third-party-summary.js | title": {
     "message": "M̂ín̂ím̂íẑé t̂h́îŕd̂-ṕâŕt̂ý ûśâǵê"
   },
+  "core/audits/trusted-types-xss.js | columnSeverity": {
+    "message": "Ŝév̂ér̂ít̂ý"
+  },
+  "core/audits/trusted-types-xss.js | description": {
+    "message": "T̂h́ê `require-trusted-types-for` d́îŕêćt̂ív̂é îń t̂h́ê `Content-Security-Policy` (ĆŜṔ) ĥéâd́êŕ îńŝt́r̂úĉt́ŝ úŝér̂ áĝén̂t́ŝ t́ô ćôńt̂ŕôĺ t̂h́ê d́ât́â ṕâśŝéd̂ t́ô D́ÔḾ X̂ŚŜ śîńk̂ f́ûńĉt́îón̂ś. [L̂éâŕn̂ ḿôŕê áb̂óût́ m̂ít̂íĝát̂ín̂ǵ D̂ÓM̂-b́âśêd́ X̂ŚŜ ẃît́ĥ T́r̂úŝt́êd́ T̂ýp̂éŝ](https://web.dev/articles/trusted-types)."
+  },
+  "core/audits/trusted-types-xss.js | noTrustedTypesToMitigateXss": {
+    "message": "N̂ó `Content-Security-Policy` ĥéâd́êŕ ŵít̂h́ T̂ŕûśt̂éd̂ T́ŷṕêś d̂ír̂éĉt́îv́ê f́ôún̂d́"
+  },
+  "core/audits/trusted-types-xss.js | title": {
+    "message": "M̂ít̂íĝát̂é D̂ÓM̂-b́âśêd́ X̂ŚŜ ẃît́ĥ T́r̂úŝt́êd́ T̂ýp̂éŝ"
+  },
   "core/audits/unsized-images.js | description": {
     "message": "Ŝét̂ án̂ éx̂ṕl̂íĉít̂ ẃîd́t̂h́ âńd̂ h́êíĝh́t̂ ón̂ ím̂áĝé êĺêḿêńt̂ś t̂ó r̂éd̂úĉé l̂áŷóût́ ŝh́îf́t̂ś âńd̂ ím̂ṕr̂óv̂é ĈĹŜ. [Ĺêár̂ń ĥóŵ t́ô śêt́ îḿâǵê d́îḿêńŝíôńŝ](https://web.dev/articles/optimize-cls#images_without_dimensions)"
   },