CSP & TrustedHTML issues with email-decode.min.js

Following the suggestions here, we’ve updated our site’s Content Security Policy (CSP) to allow the email protection, specifically script-src 'self' 'unsafe-inline' for the Scrape Shield feature. We’ve already been using nonce values throughout.

Seems odd that ‘unsafe-inline’ is the suggested fix for this feature, while later in the same article the use of this attribute is discouraged.

Anywhoo, our Chrome browsers are throwing this block now:

TypeError: Failed to set the ‘innerHTML’ property on ‘Element’: This document requires ‘TrustedHTML’ assignment.
at t (email-decode.min.js:1:175)
at n (email-decode.min.js:1:480)
at c (email-decode.min.js:1:611)
at i (email-decode.min.js:1:974)
at email-decode.min.js:1:1108
at email-decode.min.js:1:1236

Here’s information on the reason and source of the message and JS block event.

Can anyone explain how to circumnavigate this problem and continue using the email protection feature?

Thanks, Al

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.