From ffa9d0ff455295966712b27f04ac7952ec00a3b7 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Mon, 23 Jan 2023 08:10:17 +0100
Subject: [PATCH 01/11] feat(core): support TrustedType

---
 .../firebase_core/example/web/index.html      |  57 ++++++-
 .../lib/firebase_core_web.dart                |   5 +-
 .../lib/src/firebase_core_web.dart            |  25 +++-
 .../firebase_core_web/lib/src/interop/js.dart | 141 ++++++++++++++++++
 4 files changed, 219 insertions(+), 9 deletions(-)
 create mode 100644 packages/firebase_core/firebase_core_web/lib/src/interop/js.dart

diff --git a/packages/firebase_core/firebase_core/example/web/index.html b/packages/firebase_core/firebase_core/example/web/index.html
index 1fa3be6941df..58971ce901ac 100644
--- a/packages/firebase_core/firebase_core/example/web/index.html
+++ b/packages/firebase_core/firebase_core/example/web/index.html
@@ -1,13 +1,56 @@
 <!DOCTYPE html>
 <html>
+  <head>
+    <!--
+    If you are serving your web app in a path other than the root, change the
+    href value below to reflect the base path you are serving from.
 
-<head>
-  <meta charset="UTF-8">
-  <title>Firebase Core Example</title>
-</head>
+    The path provided below has to start and end with a slash "/" in order for
+    it to work correctly.
 
-<body>
-  <script src="main.dart.js" type="application/javascript"></script>
-</body>
+    For more details:
+    * https://developer.mozilla.org/en-US/docs/Web/HTML/Element/base
 
+    This is a placeholder for base href that will be replaced by the value of
+    the `--base-href` argument provided to `flutter build`.
+  -->
+    <base href="$FLUTTER_BASE_HREF" />
+
+    <meta charset="UTF-8" />
+    <meta content="IE=Edge" http-equiv="X-UA-Compatible" />
+
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'"
+    />
+
+    <title>Firebase Core Example</title>
+    <link rel="manifest" href="manifest.json" />
+
+    <script>
+      // The value below is injected by flutter build, do not touch.
+      var serviceWorkerVersion = null;
+    </script>
+    <!-- This script adds the flutter initialization JS code -->
+    <script src="flutter.js" defer></script>
+  </head>
+  <body>
+    <script>
+      window.addEventListener('load', function (ev) {
+        // Download main.dart.js
+        _flutter.loader
+          .loadEntrypoint({
+            serviceWorker: {
+              serviceWorkerVersion: serviceWorkerVersion,
+            },
+          })
+          .then(function (engineInitializer) {
+            return engineInitializer.initializeEngine();
+          })
+          .then(function (appRunner) {
+            return appRunner.runApp();
+          });
+      });
+    </script>
+  </body>
 </html>
diff --git a/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart b/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart
index a2ae0d1bc33d..4e3f360568fa 100644
--- a/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart
+++ b/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart
@@ -10,13 +10,16 @@ import 'dart:html';
 import 'dart:js';
 
 import 'package:firebase_core_platform_interface/firebase_core_platform_interface.dart';
+import 'package:firebase_core_web/src/interop/js.dart';
 import 'package:flutter_web_plugins/flutter_web_plugins.dart';
 import 'package:js/js_util.dart' as js_util;
+
 import 'src/interop/core.dart' as firebase;
+import 'src/interop/js.dart' as js;
 
 part 'src/firebase_app_web.dart';
-part 'src/firebase_sdk_version.dart';
 part 'src/firebase_core_web.dart';
+part 'src/firebase_sdk_version.dart';
 
 /// Returns a [FirebaseAppWeb] instance from [firebase.App].
 FirebaseAppPlatform _createFromJsApp(firebase.App jsApp) {
diff --git a/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart b/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
index 86043dc396c3..6d90d300f3d7 100644
--- a/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
+++ b/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
@@ -96,20 +96,43 @@ class FirebaseCoreWeb extends FirebasePlatform {
     return [];
   }
 
+  final String _defaultTrustedPolicyName = 'flutterfire-';
+
   /// Injects a `script` with a `src` dynamically into the head of the current
   /// document.
   Future<void> _injectSrcScript(String src, String windowVar) async {
+    DomTrustedScriptUrl? trustedUrl;
+    final trustedPolicyName = _defaultTrustedPolicyName + windowVar;
+    if (trustedTypes != null) {
+      console.debug(
+        'TrustedTypes available. Creating policy:',
+        trustedPolicyName,
+      );
+      final DomTrustedTypePolicyFactory factory = trustedTypes!;
+      try {
+        final DomTrustedTypePolicy policy = factory.createPolicy(
+          _defaultTrustedPolicyName,
+          DomTrustedTypePolicyOptions(
+            createScriptURL: allowInterop((String url) => src),
+          ),
+        );
+        trustedUrl = policy.createScriptURL(src);
+      } catch (e) {
+        rethrow;
+      }
+    }
     ScriptElement script = ScriptElement();
     script.type = 'text/javascript';
     script.crossOrigin = 'anonymous';
     script.text = '''
       window.ff_trigger_$windowVar = async (callback) => {
-        callback(await import("$src"));
+        callback(await import("${trustedUrl?.toString() ?? src}"));
       };
     ''';
 
     assert(document.head != null);
     document.head!.append(script);
+
     Completer completer = Completer();
 
     context.callMethod('ff_trigger_$windowVar', [
diff --git a/packages/firebase_core/firebase_core_web/lib/src/interop/js.dart b/packages/firebase_core/firebase_core_web/lib/src/interop/js.dart
new file mode 100644
index 000000000000..0a720243449d
--- /dev/null
+++ b/packages/firebase_core/firebase_core_web/lib/src/interop/js.dart
@@ -0,0 +1,141 @@
+// Copyright 2013 The Flutter Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+/*
+// DOM shim. This file contains everything we need from the DOM API written as
+// @staticInterop, so we don't need dart:html
+// https://developer.mozilla.org/en-US/docs/Web/API/
+*/
+
+import 'package:js/js.dart';
+
+/// console interface
+@JS()
+@staticInterop
+@anonymous
+abstract class DomConsole {}
+
+/// The interface of window.console
+extension DomConsoleExtension on DomConsole {
+  /// console.debug
+  external DomConsoleDumpFn get debug;
+
+  /// console.info
+  external DomConsoleDumpFn get info;
+
+  /// console.log
+  external DomConsoleDumpFn get log;
+
+  /// console.warn
+  external DomConsoleDumpFn get warn;
+
+  /// console.error
+  external DomConsoleDumpFn get error;
+}
+
+/// Fakey variadic-type for console-dumping methods (like console.log or info).
+typedef DomConsoleDumpFn = void Function(
+  Object? arg, [
+  Object? arg2,
+  Object? arg3,
+  Object? arg4,
+  Object? arg5,
+  Object? arg6,
+  Object? arg7,
+  Object? arg8,
+  Object? arg9,
+  Object? arg10,
+]);
+
+/// Error object
+@JS('Error')
+@staticInterop
+abstract class DomError {}
+
+/// Methods on the error object
+extension DomErrorExtension on DomError {
+  /// Error message.
+  external String? get message;
+
+  /// Stack trace.
+  external String? get stack;
+
+  /// Error name. This is determined by the constructor function.
+  external String get name;
+
+  /// Error cause indicating the reason why the current error is thrown.
+  ///
+  /// This is usually another caught error, or the value provided as the `cause`
+  /// property of the Error constructor's second argument.
+  external Object? get cause;
+}
+
+/*
+// Trusted Types API (TrustedTypePolicy, TrustedScript, TrustedScriptURL)
+// https://developer.mozilla.org/en-US/docs/Web/API/TrustedTypesAPI
+*/
+
+/// A factory to create `TrustedTypePolicy` objects.
+@JS()
+@staticInterop
+@anonymous
+abstract class DomTrustedTypePolicyFactory {}
+
+/// (Some) methods of the [DomTrustedTypePolicyFactory]:
+extension DomTrustedTypePolicyFactoryExtension on DomTrustedTypePolicyFactory {
+  /// createPolicy
+  external DomTrustedTypePolicy createPolicy(
+    String policyName,
+    DomTrustedTypePolicyOptions? policyOptions,
+  );
+}
+
+/// Options to create a trusted type policy.
+@JS()
+@staticInterop
+@anonymous
+abstract class DomTrustedTypePolicyOptions {
+  /// Constructs a TrustedPolicyOptions object in JavaScript.
+  ///
+  /// The following properties need to be manually wrapped in [allowInterop]
+  /// before being passed to this constructor: [createScriptURL].
+  external factory DomTrustedTypePolicyOptions({
+    DomCreateScriptUrlOptionFn? createScriptURL,
+  });
+}
+
+/// Type of the function to configure createScriptURL
+typedef DomCreateScriptUrlOptionFn = String Function(String input);
+
+/// An instance of a TrustedTypePolicy
+@JS()
+@staticInterop
+@anonymous
+abstract class DomTrustedTypePolicy {}
+
+/// (Some) methods of the [DomTrustedTypePolicy]
+extension DomTrustedTypePolicyExtension on DomTrustedTypePolicy {
+  /// Create a `TrustedScriptURL` for the given [input].
+  external DomTrustedScriptUrl createScriptURL(String input);
+}
+
+/// An instance of a DomTrustedScriptUrl
+@JS()
+@staticInterop
+@anonymous
+abstract class DomTrustedScriptUrl {}
+
+// Getters
+
+/// window.trustedTypes (may or may not be supported by the browser)
+@JS()
+@staticInterop
+@anonymous
+external DomTrustedTypePolicyFactory? get trustedTypes;
+
+/// window.console
+@JS()
+@staticInterop
+@anonymous
+external DomConsole get console;

From 0e42a9a2143f027ab947c3e0ed8dad0109e4f63e Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Mon, 23 Jan 2023 08:15:59 +0100
Subject: [PATCH 02/11] feat(core): support TrustedType

---
 .../firebase_core/firebase_core/example/web/index.html   | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/firebase_core/firebase_core/example/web/index.html b/packages/firebase_core/firebase_core/example/web/index.html
index 58971ce901ac..7ba0fe8597c6 100644
--- a/packages/firebase_core/firebase_core/example/web/index.html
+++ b/packages/firebase_core/firebase_core/example/web/index.html
@@ -19,10 +19,10 @@
     <meta charset="UTF-8" />
     <meta content="IE=Edge" http-equiv="X-UA-Compatible" />
 
-    <meta
+    <!-- <meta
       http-equiv="Content-Security-Policy"
       content="require-trusted-types-for 'script'"
-    />
+    /> -->
 
     <title>Firebase Core Example</title>
     <link rel="manifest" href="manifest.json" />
@@ -36,6 +36,11 @@
   </head>
   <body>
     <script>
+      document.addEventListener(
+        'securitypolicyviolation',
+        console.error.bind(console)
+      );
+
       window.addEventListener('load', function (ev) {
         // Download main.dart.js
         _flutter.loader

From 44ff0c69d94385ec2b54076c1a0134055f286c15 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Mon, 23 Jan 2023 08:34:57 +0100
Subject: [PATCH 03/11] feat(core): support TrustedType

---
 packages/firebase_core/firebase_core/example/web/index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/firebase_core/firebase_core/example/web/index.html b/packages/firebase_core/firebase_core/example/web/index.html
index 7ba0fe8597c6..091baec82002 100644
--- a/packages/firebase_core/firebase_core/example/web/index.html
+++ b/packages/firebase_core/firebase_core/example/web/index.html
@@ -19,10 +19,10 @@
     <meta charset="UTF-8" />
     <meta content="IE=Edge" http-equiv="X-UA-Compatible" />
 
-    <!-- <meta
+    <meta
       http-equiv="Content-Security-Policy"
       content="require-trusted-types-for 'script'"
-    /> -->
+    />
 
     <title>Firebase Core Example</title>
     <link rel="manifest" href="manifest.json" />

From 25de0d121fedc93ad87b21ab41123fd0c0462266 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 08:18:13 +0100
Subject: [PATCH 04/11] feat(core): add trusted types support

---
 .../lib/firebase_core_web.dart                |  1 +
 .../lib/src/firebase_core_web.dart            | 10 +++--
 .../test/firebase_core_tt_test.dart           | 38 +++++++++++++++++++
 .../firebase_core_web/test/tools.dart         | 17 +++++++++
 4 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
 create mode 100644 packages/firebase_core/firebase_core_web/test/tools.dart

diff --git a/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart b/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart
index 4e3f360568fa..fb986285b4d2 100644
--- a/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart
+++ b/packages/firebase_core/firebase_core_web/lib/firebase_core_web.dart
@@ -13,6 +13,7 @@ import 'package:firebase_core_platform_interface/firebase_core_platform_interfac
 import 'package:firebase_core_web/src/interop/js.dart';
 import 'package:flutter_web_plugins/flutter_web_plugins.dart';
 import 'package:js/js_util.dart' as js_util;
+import 'package:meta/meta.dart';
 
 import 'src/interop/core.dart' as firebase;
 import 'src/interop/js.dart' as js;
diff --git a/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart b/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
index 6d90d300f3d7..09e38eec9f2a 100644
--- a/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
+++ b/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
@@ -64,7 +64,8 @@ class FirebaseCoreWeb extends FirebasePlatform {
   /// You can override the supported version by attaching a version string to
   /// the window (window.flutterfire_web_sdk_version = 'x.x.x'). Do so at your
   /// own risk as the version might be unsupported or untested against.
-  String get _firebaseSDKVersion {
+  @visibleForTesting
+  String get firebaseSDKVersion {
     return context['flutterfire_web_sdk_version'] ??
         supportedFirebaseJsSdkVersion;
   }
@@ -100,7 +101,8 @@ class FirebaseCoreWeb extends FirebasePlatform {
 
   /// Injects a `script` with a `src` dynamically into the head of the current
   /// document.
-  Future<void> _injectSrcScript(String src, String windowVar) async {
+  @visibleForTesting
+  Future<void> injectSrcScript(String src, String windowVar) async {
     DomTrustedScriptUrl? trustedUrl;
     final trustedPolicyName = _defaultTrustedPolicyName + windowVar;
     if (trustedTypes != null) {
@@ -155,7 +157,7 @@ class FirebaseCoreWeb extends FirebasePlatform {
       return;
     }
 
-    String version = _firebaseSDKVersion;
+    String version = firebaseSDKVersion;
     List<String> ignored = _ignoredServiceScripts;
 
     await Future.wait(
@@ -164,7 +166,7 @@ class FirebaseCoreWeb extends FirebasePlatform {
           return Future.value();
         }
 
-        return _injectSrcScript(
+        return injectSrcScript(
           'https://www.gstatic.com/firebasejs/$version/firebase-${service.name}.js',
           'firebase_${service.override ?? service.name}',
         );
diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
new file mode 100644
index 000000000000..7d1a2603be17
--- /dev/null
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
@@ -0,0 +1,38 @@
+// Copyright 2013 The Flutter Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+import 'package:firebase_core_web/firebase_core_web.dart';
+import 'package:flutter_test/flutter_test.dart';
+
+import 'tools.dart';
+
+// NOTE: This file needs to be separated from the others because Content
+// Security Policies can never be *relaxed* once set.
+//
+// In order to not introduce a dependency in the order of the tests, we split
+// them in different files, depending on the strictness of their CSP:
+//
+// * js_loader_test.dart : default TT configuration (not enforced)
+// * js_loader_tt_custom_test.dart : TT are customized, but allowed
+// * js_loader_tt_forbidden_test.dart: TT are completely disallowed
+
+void main() {
+  group('injectScript (TrustedTypes configured)', () {
+    injectMetaTag(<String, String>{
+      'http-equiv': 'Content-Security-Policy',
+      'content': "trusted-types my-custom-policy-name 'allow-duplicates';",
+    });
+
+    test('Should inject Firebase Core script properly', () {
+      final coreWeb = FirebaseCoreWeb();
+      final version = coreWeb.firebaseSDKVersion;
+      final Future<void> done = coreWeb.injectSrcScript(
+        'https://www.gstatic.com/firebasejs/$version/firebase-app.js',
+        'firebase_core',
+      );
+
+      expect(done, isA<Future<void>>());
+    });
+  });
+}
diff --git a/packages/firebase_core/firebase_core_web/test/tools.dart b/packages/firebase_core/firebase_core_web/test/tools.dart
new file mode 100644
index 000000000000..b2a1c5bca791
--- /dev/null
+++ b/packages/firebase_core/firebase_core_web/test/tools.dart
@@ -0,0 +1,17 @@
+import 'dart:html';
+
+import 'package:firebase_core_web/src/interop/js.dart' as dom;
+import 'package:js/js_util.dart' as js_util;
+
+/// Injects a `<meta>` tag with the provided [attributes] into the [dom.document].
+void injectMetaTag(Map<String, String> attributes) {
+  final Element meta = document.createElement('meta');
+  for (final MapEntry<String, String> attribute in attributes.entries) {
+    js_util.callMethod(
+      meta,
+      'setAttribute',
+      <String>[attribute.key, attribute.value],
+    );
+  }
+  document.head?.append(meta);
+}

From 567ed54dd4a9e8675d002135e20cb86027f3f33f Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 08:24:20 +0100
Subject: [PATCH 05/11] feat(core): add trusted types support

---
 .../firebase_core_web/test/firebase_core_tt_test.dart  |  7 -------
 .../firebase_core_web/test/firebase_core_web_test.dart | 10 +++++-----
 .../firebase_core/firebase_core_web/test/tools.dart    |  4 ++++
 3 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
index 7d1a2603be17..86d773c4f412 100644
--- a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
@@ -9,13 +9,6 @@ import 'tools.dart';
 
 // NOTE: This file needs to be separated from the others because Content
 // Security Policies can never be *relaxed* once set.
-//
-// In order to not introduce a dependency in the order of the tests, we split
-// them in different files, depending on the strictness of their CSP:
-//
-// * js_loader_test.dart : default TT configuration (not enforced)
-// * js_loader_tt_custom_test.dart : TT are customized, but allowed
-// * js_loader_tt_forbidden_test.dart: TT are completely disallowed
 
 void main() {
   group('injectScript (TrustedTypes configured)', () {
diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_web_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_web_test.dart
index a738cc24127a..974b883e2a5f 100644
--- a/packages/firebase_core/firebase_core_web/test/firebase_core_web_test.dart
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_web_test.dart
@@ -1,4 +1,3 @@
-// ignore_for_file: require_trailing_commas
 // Copyright 2020 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
@@ -23,10 +22,11 @@ void main() {
           (String name) => FirebaseAppMock(
             name: name,
             options: FirebaseAppOptionsMock(
-                apiKey: 'abc',
-                appId: '123',
-                messagingSenderId: 'msg',
-                projectId: 'test'),
+              apiKey: 'abc',
+              appId: '123',
+              messagingSenderId: 'msg',
+              projectId: 'test',
+            ),
           ),
         ),
       );
diff --git a/packages/firebase_core/firebase_core_web/test/tools.dart b/packages/firebase_core/firebase_core_web/test/tools.dart
index b2a1c5bca791..c6982ff84443 100644
--- a/packages/firebase_core/firebase_core_web/test/tools.dart
+++ b/packages/firebase_core/firebase_core_web/test/tools.dart
@@ -1,3 +1,7 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
 import 'dart:html';
 
 import 'package:firebase_core_web/src/interop/js.dart' as dom;

From 8b4bc2cd03bae78bd9e5af8fe299bbb81e155904 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 08:41:57 +0100
Subject: [PATCH 06/11] feat(core): add trusted types support

---
 .../firebase_core_web/lib/src/firebase_core_web.dart            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart b/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
index 09e38eec9f2a..6073747b4d07 100644
--- a/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
+++ b/packages/firebase_core/firebase_core_web/lib/src/firebase_core_web.dart
@@ -113,7 +113,7 @@ class FirebaseCoreWeb extends FirebasePlatform {
       final DomTrustedTypePolicyFactory factory = trustedTypes!;
       try {
         final DomTrustedTypePolicy policy = factory.createPolicy(
-          _defaultTrustedPolicyName,
+          trustedPolicyName,
           DomTrustedTypePolicyOptions(
             createScriptURL: allowInterop((String url) => src),
           ),

From ea29682f0a39c64eb065691dfc6c9e7f19a1ecae Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 09:03:50 +0100
Subject: [PATCH 07/11] feat(core): add trusted types support

---
 .../firebase_core_web/test/firebase_core_tt_test.dart           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
index 86d773c4f412..d8033a040acf 100644
--- a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
@@ -14,7 +14,7 @@ void main() {
   group('injectScript (TrustedTypes configured)', () {
     injectMetaTag(<String, String>{
       'http-equiv': 'Content-Security-Policy',
-      'content': "trusted-types my-custom-policy-name 'allow-duplicates';",
+      'content': 'trusted-types',
     });
 
     test('Should inject Firebase Core script properly', () {

From f12ac0ede46ee8829e4e1b051b4d979109d11820 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 09:04:14 +0100
Subject: [PATCH 08/11] feat(core): add trusted types support

---
 .../firebase_core_web/test/firebase_core_tt_test.dart           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
index d8033a040acf..5eee489dd7b4 100644
--- a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
@@ -14,7 +14,7 @@ void main() {
   group('injectScript (TrustedTypes configured)', () {
     injectMetaTag(<String, String>{
       'http-equiv': 'Content-Security-Policy',
-      'content': 'trusted-types',
+      'content': 'trusted-types;',
     });
 
     test('Should inject Firebase Core script properly', () {

From 9ca03b10cff8cc73d525e0c86940ebcfdc1b1ec9 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 09:20:12 +0100
Subject: [PATCH 09/11] feat(core): add trusted types support

---
 .../firebase_core_web/test/firebase_core_tt_test.dart           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
index 5eee489dd7b4..3bad46099710 100644
--- a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
@@ -14,7 +14,7 @@ void main() {
   group('injectScript (TrustedTypes configured)', () {
     injectMetaTag(<String, String>{
       'http-equiv': 'Content-Security-Policy',
-      'content': 'trusted-types;',
+      'content': "trusted-types flutterfire-firebase_core 'allow-duplicates';",
     });
 
     test('Should inject Firebase Core script properly', () {

From 240bd123860f86a74c51349d61a8d9164f9e1fd1 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 09:27:28 +0100
Subject: [PATCH 10/11] feat(core): add trusted types support

---
 .../firebase_core_web/test/firebase_core_tt_test.dart            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
index 3bad46099710..5a0e8d22cb41 100644
--- a/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
+++ b/packages/firebase_core/firebase_core_web/test/firebase_core_tt_test.dart
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+@TestOn('browser')
 import 'package:firebase_core_web/firebase_core_web.dart';
 import 'package:flutter_test/flutter_test.dart';
 

From b500b2d0589d4a7175a6811d437935477cc8a403 Mon Sep 17 00:00:00 2001
From: Guillaume Bernos <guillaume@bernos.dev>
Date: Tue, 14 Feb 2023 10:14:39 +0100
Subject: [PATCH 11/11] feat(core): add documentation

---
 docs/setup/_setup_main.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/setup/_setup_main.md b/docs/setup/_setup_main.md
index 272d1cd37d2f..04ed75e7aba1 100644
--- a/docs/setup/_setup_main.md
+++ b/docs/setup/_setup_main.md
@@ -141,6 +141,12 @@ flutterfire configure
     flutter run
     ```
 
+#### Using TrustedTypes for web
+
+If you plan to use Firebase on the web, you can use TrustedTypes to prevent
+XSS attacks. If TrustedTypes are enabled, Firebase will inject the
+scripts into the DOM using TrustedTypes. The policy name are defined as
+follows: 'flutterfire-firease_core', 'flutterfire-firebase_auth'... etc.
 
 ## **Step 4**: Add Firebase plugins {: #add-plugins}