Prevent DOM-based XSS with Trusted Types and Content Security Policy with report-uri

The CSP response header:

Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://role.has.report/report

Trusted Types with a default policy

show the code

Related specs & documents