♻️🐛 [Trusted Types] Make createExtensionScript's policy regex less pe…

…rmissive (#39273) * make regex more strict * lint
ampproject · Jul 31, 2023 · a5572f3 · a5572f3
1 parent 54c0400
commit a5572f3
Showing 1 changed file with 4 additions and 7 deletions.
diff --git a/src/service/extension-script.js b/src/service/extension-script.js
@@ -7,11 +7,8 @@ import {getMode} from '../mode';
 const CUSTOM_TEMPLATES = ['amp-mustache'];
 const LATEST_VERSION = 'latest';
 
-const cdnRegexUrl = new RegExp(
-  // eslint-disable-next-line local/no-forbidden-terms
-  '^https://([a-zA-Z0-9_-]+.)?cdn.ampproject.org(/.*)?$'
-);
-const testCdnRegexUrl = new RegExp('^([a-zA-Z0-9_-]+.)?localhost$');
+const regexURL = /^https:\/\/([a-zA-Z0-9_-]+\.)?cdn\.ampproject\.org(\/.*)?$/;
+const testRegexURL = /^([a-zA-Z0-9_-]+\.)?localhost$/;
 
 /**
  * Calculate the base url for any scripts.
@@ -166,8 +163,8 @@ export function createExtensionScript(win, extensionId, version) {
     createScriptURL: function (url) {
       // Only allow trusted URLs
       if (
-        cdnRegexUrl.test(url) ||
-        (getMode().test && testCdnRegexUrl.test(new URL(url).hostname)) ||
+        regexURL.test(url) ||
+        (getMode().test && testRegexURL.test(new URL(url).hostname)) ||
         new URL(url).host === 'fonts.googleapis.com'
       ) {
         return url;