#5569 Add compliance with Trusted Types

[sosnovsky]

This PR adds Trusted Types policy for compatibility with upcoming Gmail policy update

close #5569

---

Tests (delete all except exactly one):

• Does not need tests (refactor only, docs or internal changes)

---

To be filled by reviewers

I have reviewed that this PR... (tick whichever items you personally focused on during this review):

• addresses the issue it closes (if any)
• code is readable and understandable
• is accompanied with tests, or tests are not needed
• is free of vulnerabilities
• is documented clearly and usefully, or doesn't need documentation

[sosnovsky]

@martgil this PR is ready for review, thanks!

[martgil]

I think it is also a good idea to update some of the few options for the DOMPurify configuration option to return trusted type by adding the RETURN_TRUSTED_TYPE property set to true when DOMPurify.sanitize() is used:

flowcrypt-browser/extension/types/purify.d.ts

Line 18 in a403966

export declare function sanitize(source: string | Node, config: Config & { RETURN_DOM: true; }): HTMLElement;

Reference:
https://github.com/cure53/DOMPurify?tab=readme-ov-file#what-about-dompurify-and-trusted-types
https://web.dev/articles/trusted-types#use_a_library

[sosnovsky]

I think it is also a good idea to update some of the few options for the DOMPurify configuration option to return trusted type by adding the RETURN_TRUSTED_TYPE property set to true when DOMPurify.sanitize() is used:

Nice suggestion, I'll check this property and also standard dompurify types from https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/dompurify as we currently use outdated types for v2.

[sosnovsky]

@martgil I tried to add RETURN_TRUSTED_TYPE property to DOMPurify, but it'll require a lot of changes in our code - at least all usages of Xss.htmlSanitize, as currently it returns string, but with Trusted Types it's return type will be string | TrustedHTML. And also adding @types/trusted-types leads to build error, will need investigation too.

So let's plan this change to the next milestone (I created separate issue for it - #5576), as we need to finish current release in the beginning of February, before Gmail policy update.
In this PR I've also updated purify.d.ts to the latest version from https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/dompurify

[martgil]

@martgil I tried to add RETURN_TRUSTED_TYPE property to DOMPurify, but it'll require a lot of changes in our code - at least all usages of Xss.htmlSanitize, as currently it returns string, but with Trusted Types it's return type will be string | TrustedHTML. And also adding @types/trusted-types leads to build error, will need investigation too.

I understood completely. This PR also looks good. thanks!

So let's plan this change to the next milestone (I created separate issue for it - #5576), as we need to finish current release in the beginning of February, before Gmail policy update. In this PR I've also updated purify.d.ts to the latest version from https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/dompurify

Okay, thanks! I'll assigned it to myself to work on it.

[martgil]

LGTM! thank you.