CSP Headers

[QROkes]

1. When a CSP Header is set with: require-trusted-types-for 'script'; which is a very common setting, the Ethical Ads stop working.

2. It would be nice if you could stop using external sources like: https://ethicalads.blob.core.windows.net/media/images/2025/02/ethicalads-ad.png which becomes evident when a CSP Header is used and adding an external domain is needed.

3. Also, having a proper CSP Header documented would be really helpful for your users, for example: https://developers.google.com/tag-platform/security/guides/csp

For Ethical Ads:

script-src https://*.ethicalads.io;
img-src https://*.ethicalads.io https://ethicalads.blob.core.windows.net/;
connect-src https://*.ethicalads.io;

[davidfischer]

For number 2 at least, all our ads should use an image at media.ethicalads.io. Not sure why the underlying bucket name is used and I'll look into that.

[davidfischer]

For number 2 at least, all our ads should use an image at media.ethicalads.io. Not sure why the underlying bucket name is used and I'll look into that.

I'm wrong here. I see where this is coming from and I'll see if I can get that fixed up.

[davidfischer]

For point 1, do you have a specific proposal? Require-trusted-types-for is currently Chromium browsers only (see this) although it seems Safari support may be coming soon

[QROkes]

For point 1, do you have a specific proposal? Require-trusted-types-for is currently Chromium browsers only (see this) although it seems Safari support may be coming soon

The script https://media.ethicalads.io/media/client/ethicalads.min.js uses legacy DOM methods like element.innerHTML, which become restricted under require-trusted-types-for 'script'. To make the script compatible with Trusted Types, you’d need to register a Trusted Types policy via TrustedTypes.createPolicy() that allows specific sanitization of content.

const policy = trustedTypes.createPolicy("default", {
     createHTML:input=>input     // Your sanitization logic here
});

element.innerHTML = policy.createHTML("<div>Safe content</div>");

[davidfischer]

I'm not 100% sure we'll implement trusted types right now as they're not supported in Firefox. Is there an alternative that is widely supported?

[QROkes]

Trusted Types code in JS is already supported. What's still not supported is the CSP policy require-trusted-types-for in Firefox; it will just be ignored.

[davidfischer]

(This is Firefox v141.0)

Caniuse also shows it as completely unsupported . Please correct me if I'm wrong.

[QROkes]

TBH, I don't know!
In a fresh Firefox installation (version 141.0.2), I'm not seeing any errors/warnings in the Console.

[davidfischer]

All resources now are sent through *.ethicalads.io. I'm not currently sure points 1 or 3 are actionable in a cross-browser way. I'm open to suggestions.

[QROkes]

You're absolutely right—according to Can I Use, Firefox does not currently support the trustedTypes API or the require-trusted-types-for 'script' directive.

However, it's important to note that Firefox doesn't throw errors or block functionality when this directive is present. It simply ignores it, which means:

• ✅ Browsers like Chrome and Edge enforce Trusted Types, adding strong protection against XSS.
• 🟡 Firefox skips enforcement but continues to work normally.

This makes it a safe, progressive enhancement. You gain security benefits in supported browsers without breaking compatibility in others.

Additionally, Firefox does offer an experimental flag:
You can enable support manually by setting dom.security.trusted_types.enabled to true in about:config.

So while it's not officially supported yet, there's no downside to including it in your CSP header. You're future-proofing your app and improving security where possible.

[QROkes]

Just as additional context in support of point  3

While working with X Ads (Twitter) today, I was pleased to see that their official documentation now explicitly includes Content Security Policy (CSP) guidance for their tracking scripts. Conversion Tracking for Websites – X Ads Help Center

It’s a great example of how major platforms are starting to bake CSP considerations directly into their integration docs. This is becoming the norm, and it really helps developers adopt stronger security practices without guesswork.