Support trusted-types reports delivered as CSP violations

[shekyan]

Summary

Trusted Types API uses CSP reporting to deliver violations. Sentry refuses to accept those because Invalid security report: u'trusted-types' is not one of ['base-uri', 'child-src', 'connect-src', 'default-src', 'font-src', 'form-action', 'frame-ancestors', 'frame-src', 'img-src', 'manifest-src', 'media-src', 'object-src', 'plugin-types', 'prefetch-src', 'referrer', 'script-src', 'script-src-attr', 'script-src-elem', 'style-src', 'style-src-elem', 'style-src-attr', 'upgrade-insecure-requests', 'worker-src']

Motivation

Trusted Types is a promising API that helps eliminate DOM XSS in the document.

Additional Context

Changes to violation object

[github-actions]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Accepted, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[artursvonda]

Bump

[markstory]

My concern with trusted-types is that it is still in the draft stage, and that it is only implemented in a single browser.

[oioki]

For the reference, Trusted Types (and some other missing CSP directives) are supported since getsentry/relay#876