ampproject · erwinmombay · Jul 12, 2023 · Jun 16, 2023 · Jun 16, 2023 · Jun 16, 2023
diff --git a/src/service/extension-script.js b/src/service/extension-script.js
@@ -7,6 +7,12 @@ import {getMode} from '../mode';
 const CUSTOM_TEMPLATES = ['amp-mustache'];
 const LATEST_VERSION = 'latest';
 
+const cdnRegexUrl = new RegExp(
+  // eslint-disable-next-line local/no-forbidden-terms
+  '^https://([a-zA-Z0-9_-]+.)?cdn.ampproject.org(/.*)?$'
+);
+const testCdnRegexUrl = new RegExp('^([a-zA-Z0-9_-]+.)?localhost$');
+
 /**
  * Calculate the base url for any scripts.
  * @param {!Location} location The window's location
@@ -155,7 +161,30 @@ export function createExtensionScript(win, extensionId, version) {
     version,
     getMode(win).localDev
   );
-  scriptElement.src = scriptSrc;
+
+  let policy = {
+    createScriptURL: function (url) {
+      // Only allow trusted URLs
+      if (
+        cdnRegexUrl.test(url) ||
+        (getMode().test && testCdnRegexUrl.test(new URL(url).hostname)) ||
+        new URL(url).host === 'fonts.googleapis.com'
+      ) {
+        return url;
+      } else {
+        return '';
+      }
+    },
+  };
+
+  if (self.trustedTypes && self.trustedTypes.createPolicy) {
+    policy = self.trustedTypes.createPolicy(
+      'extension-script#createExtensionScript',
+      policy
+    );
+  }
+
+  scriptElement.src = policy.createScriptURL(scriptSrc);
   return scriptElement;
 }