Patch trusted types violation

Author: Kian Jamali

packages/auth/src/platform_browser/iframe/gapi.ts

@@ -15,6 +15,8 @@
  * limitations under the License.
  */
 
+import { appendParams } from 'safevalues';
+
 import { AuthErrorCode } from '../../core/errors';
 import { _createError } from '../../core/util/assert';
 import { Delay } from '../../core/util/delay';
@@ -104,7 +106,7 @@ function loadGapi(auth: AuthInternal): Promise<gapi.iframes.Context> {
       };
       // Load GApi loader.
       return js
-        ._loadJS(`${js._gapiScriptUrl()}?onload=${cbName}`)
+        ._loadJS(appendParams(js._gapiScriptUrl(), { onload: cbName }))
         .catch(e => reject(e));
     }
   }).catch(error => {

packages/auth/src/platform_browser/index.ts

@@ -16,6 +16,8 @@
  */
 
 import { FirebaseApp, getApp, _getProvider } from '@firebase/app';
+import { trustedResourceUrl } from 'safevalues';
+import { setScriptSrc } from 'safevalues/dom';
 
 import {
   initializeAuth,
@@ -120,11 +122,11 @@ function getScriptParentElement(): HTMLDocument | HTMLHeadElement {
 }
 
 _setExternalJSProvider({
-  loadJS(url: string): Promise<Event> {
+  loadJS(url): Promise<Event> {
     // TODO: consider adding timeout support & cancellation
     return new Promise((resolve, reject) => {
-      const el = document.createElement('script');
-      el.setAttribute('src', url);
+      const el = document.createElement('script') as HTMLScriptElement;
+      setScriptSrc(el, url);
       el.onload = resolve;
       el.onerror = e => {
         const error = _createError(AuthErrorCode.INTERNAL_ERROR);
@@ -137,10 +139,9 @@ _setExternalJSProvider({
     });
   },
 
-  gapiScript: 'https://apis.google.com/js/api.js',
-  recaptchaV2Script: 'https://www.google.com/recaptcha/api.js',
-  recaptchaEnterpriseScript:
-    'https://www.google.com/recaptcha/enterprise.js?render='
+  gapiScript: trustedResourceUrl`https://apis.google.com/js/api.js`,
+  recaptchaV2Script: trustedResourceUrl`https://www.google.com/recaptcha/api.js`,
+  recaptchaEnterpriseScript: trustedResourceUrl`https://www.google.com/recaptcha/enterprise.js?render=`
 });
 
 registerAuth(ClientPlatform.BROWSER);

packages/auth/src/platform_browser/load_js.ts

@@ -15,40 +15,51 @@
  * limitations under the License.
  */
 
+import { TrustedResourceUrl } from 'safevalues';
+
 interface ExternalJSProvider {
-  loadJS(url: string): Promise<Event>;
-  recaptchaV2Script: string;
-  recaptchaEnterpriseScript: string;
-  gapiScript: string;
+  loadJS(url: TrustedResourceUrl): Promise<Event>;
+  recaptchaV2Script: TrustedResourceUrl;
+  recaptchaEnterpriseScript: TrustedResourceUrl;
+  gapiScript: TrustedResourceUrl;
 }
 
-let externalJSProvider: ExternalJSProvider = {
-  async loadJS() {
-    throw new Error('Unable to load external scripts');
-  },
-
-  recaptchaV2Script: '',
-  recaptchaEnterpriseScript: '',
-  gapiScript: ''
-};
+// externalJSProvider is set in index.ts
+let externalJSProvider: ExternalJSProvider;
 
 export function _setExternalJSProvider(p: ExternalJSProvider): void {
   externalJSProvider = p;
 }
 
-export function _loadJS(url: string): Promise<Event> {
+export function _loadJS(url: TrustedResourceUrl): Promise<Event> {
+  // externalJSProvider is not defined during initialization.
+  if (!externalJSProvider) {
+    throw new Error('ExternalJSProvider not set.');
+  }
   return externalJSProvider.loadJS(url);
 }
 
-export function _recaptchaV2ScriptUrl(): string {
+export function _recaptchaV2ScriptUrl(): TrustedResourceUrl {
+  // externalJSProvider is not defined during initialization.
+  if (!externalJSProvider) {
+    throw new Error('ExternalJSProvider not set.');
+  }
   return externalJSProvider.recaptchaV2Script;
 }
 
-export function _recaptchaEnterpriseScriptUrl(): string {
+export function _recaptchaEnterpriseScriptUrl(): TrustedResourceUrl {
+  // externalJSProvider is not defined during initialization.
+  if (!externalJSProvider) {
+    throw new Error('ExternalJSProvider not set.');
+  }
   return externalJSProvider.recaptchaEnterpriseScript;
 }
 
-export function _gapiScriptUrl(): string {
+export function _gapiScriptUrl(): TrustedResourceUrl {
+  // externalJSProvider is not defined during initialization.
+  if (!externalJSProvider) {
+    throw new Error('ExternalJSProvider not set.');
+  }
   return externalJSProvider.gapiScript;
 }
 

packages/auth/src/platform_browser/recaptcha/recaptcha_enterprise_verifier.ts

@@ -25,6 +25,7 @@ import {
   RecaptchaAuthProvider,
   EnforcementState
 } from '../../api';
+import { appendParams } from 'safevalues';
 
 import { Auth } from '../../model/public_types';
 import { AuthInternal } from '../../model/auth';
@@ -141,12 +142,12 @@ export class RecaptchaEnterpriseVerifier {
               );
               return;
             }
-            let url = jsHelpers._recaptchaEnterpriseScriptUrl();
-            if (url.length !== 0) {
-              url += siteKey;
-            }
+            const url = jsHelpers._recaptchaEnterpriseScriptUrl();
+            // Append site key as query parameter.
+            const urlWithParams = appendParams(url, new Map([['render', siteKey]]));
+
             jsHelpers
-              ._loadJS(url)
+              ._loadJS(urlWithParams)
               .then(() => {
                 retrieveRecaptchaToken(siteKey, resolve, reject);
               })

packages/auth/src/platform_browser/recaptcha/recaptcha_loader.ts

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { querystring } from '@firebase/util';
+import { appendParams } from 'safevalues';
 
 import { AuthErrorCode } from '../../core/errors';
 import { _assert, _createError } from '../../core/util/assert';
@@ -90,11 +90,11 @@ export class ReCaptchaLoaderImpl implements ReCaptchaLoader {
         resolve(recaptcha);
       };
 
-      const url = `${jsHelpers._recaptchaV2ScriptUrl()}?${querystring({
+      const url = appendParams(jsHelpers._recaptchaV2ScriptUrl(), {
         onload: _JSLOAD_CALLBACK,
         render: 'explicit',
         hl
-      })}`;
+      });
 
       jsHelpers._loadJS(url).catch(() => {
         clearTimeout(networkTimeout);