Merge pull request #1 from AegisJSProject/release/1.0.0

Initial batch of code

Author: shgysk8zer0

.eslintrc.json

@@ -31,7 +31,8 @@
         "no-prototype-builtins": 0
     },
     "globals": {
-      "globalThis": "readonly"
+      "globalThis": "readonly",
+      "trustedTypes": "readonly"
     }
 }
 

.npmignore

@@ -1,5 +1,6 @@
 node_modules/
 .github/
+test/
 .editorconfig
 .eslintignore
 .eslintrc.json
@@ -14,6 +15,4 @@ importmap.yaml
 *.tgz
 *.log
 *.bak
-*.min.*
-*.map
 *.env

CHANGELOG.md

@@ -6,65 +6,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
-- Setup to transpile all `./*.js` to `./cjs/*.cjs` (except `*.config.js`)
-- Update `exports` and `main` accordingly
-
-## [v1.1.1] - 2023-09-24
-
-### Added
-- Add `unpkg` to `package.json`
-- Add badges in README
-
-### Changed
-- Update `exports` to `package.json` to handle wider variety
-
-### Fixed
-- Fix typo in `fix:js` script
-
-### [v1.1.0] - 2023-07-03
-
-### Changed
-- Update to node 20
-- Update npm publishing GH Action
-
-## [v1.0.5] - 2023-07-02
-
-### Added
-- Add `funding`
-
-### Changed
-- Updated GitHub Actions workflows 
-- Update versioning & lock-file scripts
-- Update `.npmignore` & `.gitignore`
-
-## [v1.0.4] - 2023-06-08
-
-### Added
-- Install `@shgysk8zer0/npm-utils`
-- Add `exports` to package config
-
-### Removed
-- Uninstall `rollup`, `eslint`
-
-### Changed
-- Use `getConfig()` from `@shgysk8zer0/js-utils/rollup` for rollup config
-
-## [v1.0.3] - 2023-06-01
-
-### Fixed
-- Revert to old Release Action, now with permissions & link to changelog
-
-## [v1.0.2] - 2023-06-01
-
-### Fixed
-- Fix `changelog-entry` to match `[$version]` instead of `$version`
-
-## [v1.0.1] - 2023-05-31
-
-### Fixed
-- Update GitHub Release workflow to use [Auto Release](https://github.com/marketplace/actions/auto-release)
-
-## [v1.0.0] - 2023-05-31
+## [v1.0.0] - 2024-04-01
 
 Initial Release

README.md

@@ -1,24 +1,24 @@
-# npm-template
+# @aegisjsproject/trusted-types
 
-A template repo for npm packages
+A polyfill for the [Trusted Types API](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API)
 
-[![CodeQL](https://github.com/shgysk8zer0/node-http/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/shgysk8zer0/npm-template/actions/workflows/codeql-analysis.yml)
-![Node CI](https://github.com/shgysk8zer0/node-http/workflows/Node%20CI/badge.svg)
-![Lint Code Base](https://github.com/shgysk8zer0/node-http/workflows/Lint%20Code%20Base/badge.svg)
+[![CodeQL](https://github.com/AegisJSProject/trusted-types/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/AegisJSProject/trusted-types/actions/workflows/codeql-analysis.yml)
+![Node CI](https://github.com/AegisJSProject/trusted-types/workflows/Node%20CI/badge.svg)
+![Lint Code Base](https://github.com/AegisJSProject/trusted-types/workflows/Lint%20Code%20Base/badge.svg)
 
-[![GitHub license](https://img.shields.io/github/license/shgysk8zer0/node-http.svg)](https://github.com/shgysk8zer0/node-http/blob/master/LICENSE)
-[![GitHub last commit](https://img.shields.io/github/last-commit/shgysk8zer0/node-http.svg)](https://github.com/shgysk8zer0/node-http/commits/master)
-[![GitHub release](https://img.shields.io/github/release/shgysk8zer0/node-http?logo=github)](https://github.com/shgysk8zer0/node-http/releases)
+[![GitHub license](https://img.shields.io/github/license/AegisJSProject/trusted-types.svg)](https://github.com/AegisJSProject/trusted-types/blob/master/LICENSE)
+[![GitHub last commit](https://img.shields.io/github/last-commit/AegisJSProject/trusted-types.svg)](https://github.com/AegisJSProject/trusted-types/commits/master)
+[![GitHub release](https://img.shields.io/github/release/AegisJSProject/trusted-types?logo=github)](https://github.com/AegisJSProject/trusted-types/releases)
 [![GitHub Sponsors](https://img.shields.io/github/sponsors/shgysk8zer0?logo=github)](https://github.com/sponsors/shgysk8zer0)
 
-[![npm](https://img.shields.io/npm/v/@shgysk8zer0/npm-template)](https://www.npmjs.com/package/@shgysk8zer0/npm-template)
-![node-current](https://img.shields.io/node/v/@shgysk8zer0/npm-template)
-![npm bundle size gzipped](https://img.shields.io/bundlephobia/minzip/@shgysk8zer0/npm-template)
-[![npm](https://img.shields.io/npm/dw/@shgysk8zer0/npm-template?logo=npm)](https://www.npmjs.com/package/@shgysk8zer0/npm-template)
+[![npm](https://img.shields.io/npm/v/@aegisjsproject/trusted-types)](https://www.npmjs.com/package/@aegisjsproject/trusted-types)
+![node-current](https://img.shields.io/node/v/@aegisjsproject/trusted-types)
+![npm bundle size gzipped](https://img.shields.io/bundlephobia/minzip/@aegisjsproject/trusted-types)
+[![npm](https://img.shields.io/npm/dw/@aegisjsproject/trusted-types?logo=npm)](https://www.npmjs.com/package/@aegisjsproject/trusted-types)
 
-[![GitHub followers](https://img.shields.io/github/followers/shgysk8zer0.svg?style=social)](https://github.com/shgysk8zer0)
-![GitHub forks](https://img.shields.io/github/forks/shgysk8zer0/node-http.svg?style=social)
-![GitHub stars](https://img.shields.io/github/stars/shgysk8zer0/node-http.svg?style=social)
+[![GitHub followers](https://img.shields.io/github/followers/AegisJSProject.svg?style=social)](https://github.com/AegisJSProoject)
+![GitHub forks](https://img.shields.io/github/forks/AegisJSProject/trusted-types.svg?style=social)
+![GitHub stars](https://img.shields.io/github/stars/AegisJSProject/trusted-types.svg?style=social)
 [![Twitter Follow](https://img.shields.io/twitter/follow/shgysk8zer0.svg?style=social)](https://twitter.com/shgysk8zer0)
 
 [![Donate using Liberapay](https://img.shields.io/liberapay/receives/shgysk8zer0.svg?logo=liberapay)](https://liberapay.com/shgysk8zer0/donate "Donate using Liberapay")
@@ -27,3 +27,47 @@ A template repo for npm packages
 - [Code of Conduct](./.github/CODE_OF_CONDUCT.md)
 - [Contributing](./.github/CONTRIBUTING.md)
 <!-- - [Security Policy](./.github/SECURITY.md) -->
+
+## [Concepts and Usage](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage)
+
+Client-side, or DOM-based, XSS attacks happen when data controlled by a user
+(such as that input into a form field) reaches a function that can execute that
+data. These functions are known as injection sinks. DOM-based XSS attacks happen
+when a user is able to write arbitrary JavaScript code and have it executed by one
+of these functions.
+
+The Trusted Types API locks down risky injection sinks, requiring you to process
+the data before passing it to one of these functions. If you use a string, then
+the browser will throw a TypeError and prevent the use of the function.
+
+Trusted Types works alongside [Content-Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
+with the [`trusted-types`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types)
+and [`require-trusted-types-for`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for)
+directives.
+
+### [Injection Sinks](https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API#injection_sinks)
+
+The Trusted Types API locks down injection sinks that can act as a vector for DOM-XSS
+attacks. An injection sink is any Web API function that should only be called
+with trusted, validated or sanitized input. Examples of injection sinks include:
+
+- Functions that insert HTML into the document such as Element.innerHTML, Element.outerHTML, or Document.write.
+- Functions that create a new same-origin Document with caller-controlled markup such as DOMParser.parseFromString.
+- Functions that execute code such as Global_Objects/eval.
+- Setters for Element attributes that accept a URL of code to load or execute.
+
+Trusted Types will force you to process the data before passing it to any
+injection sink rather than use a string. This ensures that the data is trustworthy.
+
+> [!IMPORTANT]
+> Since the document cannot directly access HTTP headers, this polyfill requires
+> either `<meta http-equiv="Content-Security-Policy">` or a `data-trusted-policies`
+> attribute to be set on `<html>`.
+
+The Trusted Types API gives web developers a way to lock down the insecure parts
+of the DOM API to prevent client-side Cross-site scripting (XSS) attacks.
+
+## Included Scripts/Modules
+- **`trusted-types`**: Polyfills the `globalThis.trustedTypes`  object
+- **`harden`**: Overwrites "injection sink" property & attribute setters
+- **`bundle`**: Loads polyfill and conditionally "harden"s

bundle.js

@@ -0,0 +1,2 @@
+import '@aegisjsproject/trusted-types/trusted-types.js';
+import '@aegisjsproject/trusted-types/harden.js';