DOM-based XSS Injection Sinks Detection with Trusted Types and Content Security Policy with report-uri

The CSPRO (CSP Report-Only) response header:

Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://sally.has.report/report

DOM-based XSS

show the code

Related specs & documents