feat(secure-headers): support CSP TrustedTypePolicy (#4500)

* feat(secure-headers): support TrustedTypePolicy

* ci: apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

Author: RosApr

src/middleware/secure-headers/index.test.ts

@@ -245,6 +245,8 @@ describe('Secure Headers Middleware', () => {
             scriptSrc: ["'self'"],
             scriptSrcAttr: ["'none'"],
             styleSrc: ["'self'", 'https:', "'unsafe-inline'"],
+            requireTrustedTypesFor: ["'script'"],
+            trustedTypes: ["'none'"],
           },
         })
       )
@@ -256,7 +258,7 @@ describe('Secure Headers Middleware', () => {
 
       const res = await app.request('/test')
       expect(res.headers.get(cspHeaderName)).toEqual(
-        "default-src 'self'; base-uri 'self'; font-src 'self' https: data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'"
+        "default-src 'self'; base-uri 'self'; font-src 'self' https: data:; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; require-trusted-types-for 'script'; trusted-types 'none'"
       )
     })
 

src/middleware/secure-headers/secure-headers.ts

@@ -38,6 +38,8 @@ interface ContentSecurityPolicyOptions {
   styleSrcElem?: ContentSecurityPolicyOptionValue
   upgradeInsecureRequests?: ContentSecurityPolicyOptionValue
   workerSrc?: ContentSecurityPolicyOptionValue
+  requireTrustedTypesFor?: ContentSecurityPolicyOptionValue
+  trustedTypes?: ContentSecurityPolicyOptionValue
 }
 
 interface ReportToOptions {