fails with CSP policy that includes require-trusted-types-for 'script'

[bman654]

This CSP policy

Content-Security-Policy: require-trusted-types-for 'script'; trusted-types: esmoduleshims

causes the shim to fail during init:

due to the manipulation of some DOM elements via innerHTML property.

I think the fix is to change the code to something more like:

// let call supply the trusted types name via config.trustedTypesPolicyName to opt-in to trusted types support
// at top of module
const ttpConfig = {
  // normally these methods would santize their input, but we know what we are doing and we trust the
  // input so our methods are merely identity functions
  createHTML: input => input
  createScript: input => input
  createScriptURL: input => input
}

const ttp = (typeof trustedTypes !== "undefined") && config.trustedTypesPolicyName ?
  // we know what we are doing and do not need to sanitize the input
  trustedTypes.createPolicy(config.trustedTypesPolicyName, ttpConfig)
  : ttpConfig;

// anywhere innerHTML is being set
// el.innerHTML = html
el.innerHTML = ttp.createHTML(html)

// anywhere script src is being set
//scriptEl.src = url
scriptEl.src = ttp.createScriptURL(url)

// anywhere Function constructor is being used:
// f = new Function ("a", "b", code)
f = new Function("a", "b", ttp.createScript(code))

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for

[guybedford]

This proposal does sound like it could work to me as a way to support trusted types. I would be happy to take a PR.