Created attachment 474626 [details] Example Safari extension Xcode project In general, extension content scripts are exempted from the page's Content-Security-Policy. For example, "script-src 'none'" does not affect extension content scripts. Safari Technology Preview version 215 enabled the Trusted Types API by default. The bug is that the CSP "require-trusted-types-for 'script'" does affect extension content scripts. This happens for both Safari web extensions and Safari app extensions. The application of Trusted Types to extension content scripts causes massive breakage, such as innocent uses of innerHTML. I've discovered that YouTube, for example, uses the Content-Security-Policy "require-trusted-types-for 'script'", so the effects of this bug will be widespread and devastating on Safari extensions, including my own. Steps to reproduce: 1) Download and unzip the attachment 2) cd ~/Downloads/TrustedTypesBug 3) python3 csp-trusted.py 4) Open, build, and run TrustedTypesBug.xcodeproj 5) Enable one of the TrustedTypes extensions (web extension or app extension) in Safari Technology Preview 215 6) Open http://localhost:8000 Expected results: The extension displays a dialog element on the page. Actual results: No dialog is displayed. [Log] content.js loaded – "http://localhost:8000/" [Log] content.js showDialog [Error] This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" [Error] TypeError: This assignment requires a TrustedHTML You can see with csp-script.py, on the other that, extension content scripts are exempted from the CSP "script-src 'none'".