From 8ee5bf90b02c9a0c87d08932d76ae42d9e954601 Mon Sep 17 00:00:00 2001
From: Martin Schuhfuss <m.schuhfuss@gmail.com>
Date: Mon, 8 Jun 2026 12:58:35 +0200
Subject: [PATCH 1/2] fix: avoid unconditional use of window in policy creation
 logic

fixes #1233
---
 src/setScriptSrc.test.ts | 11 +++++++++++
 src/setScriptSrc.ts      | 39 ++++++++++++++++++++++++++-------------
 2 files changed, 37 insertions(+), 13 deletions(-)
 create mode 100644 src/setScriptSrc.test.ts

diff --git a/src/setScriptSrc.test.ts b/src/setScriptSrc.test.ts
new file mode 100644
index 00000000..4f2ffbe6
--- /dev/null
+++ b/src/setScriptSrc.test.ts
@@ -0,0 +1,11 @@
+/*
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+// @jest-environment node
+describe("setScriptSrc(): SSR safety", () => {
+  it("should be importable when window is not available", async () => {
+    await expect(import("./setScriptSrc.js")).resolves.toBeDefined();
+  });
+});
diff --git a/src/setScriptSrc.ts b/src/setScriptSrc.ts
index 52000262..fc004835 100644
--- a/src/setScriptSrc.ts
+++ b/src/setScriptSrc.ts
@@ -8,23 +8,34 @@ import type { TrustedTypePolicyFactory } from "trusted-types";
 import { logDevWarning, MSG_TRUSTED_TYPES_POLICY_FAILED } from "./messages.js";
 
 const TRUSTED_TYPES_POLICY_NAME = "@googlemaps/js-api-loader";
-type TrustedTypesWindow = Window & {
+interface TrustedTypesGlobals {
   trustedTypes?: TrustedTypePolicyFactory;
-};
-
-// Try to create a Trusted Types policy when supported. Falls back to a string
-// passthrough when Trusted Types is unsupported, blocked by CSP, or already
-// registered.
+}
 
-let policy: {
+type Policy = {
   createScriptURL: (url: string) => string | TrustedScriptURL;
 };
 
-const trustedTypes = (window as TrustedTypesWindow).trustedTypes;
+const fallbackPolicy: Policy = { createScriptURL: (url: string) => url };
+
+let policy: Policy | undefined;
+
+/*
+ * Tries to create a Trusted Types policy when supported. Falls back to a string passthrough
+ * when Trusted Types is unsupported, blocked by CSP, or already registered.
+ */
+function getPolicy(): Policy {
+  if (policy) {
+    return policy;
+  }
+
+  const trustedTypes = (globalThis as TrustedTypesGlobals).trustedTypes;
+
+  if (!trustedTypes) {
+    policy = fallbackPolicy;
+    return policy;
+  }
 
-if (!trustedTypes) {
-  policy = { createScriptURL: (url: string) => url };
-} else {
   try {
     policy = trustedTypes.createPolicy(TRUSTED_TYPES_POLICY_NAME, {
       createScriptURL: (url: string) => url,
@@ -33,10 +44,12 @@ if (!trustedTypes) {
     logDevWarning(
       MSG_TRUSTED_TYPES_POLICY_FAILED(TRUSTED_TYPES_POLICY_NAME, e)
     );
-    policy = { createScriptURL: (url: string) => url };
+    policy = fallbackPolicy;
   }
+
+  return policy;
 }
 
 export function setScriptSrc(script: HTMLScriptElement, src: string): void {
-  script.src = policy.createScriptURL(src) as string;
+  script.src = getPolicy().createScriptURL(src) as string;
 }

From 3d343de2621a6ef652696951ee2e8ff985a3a214 Mon Sep 17 00:00:00 2001
From: Martin Schuhfuss <m.schuhfuss@gmail.com>
Date: Mon, 8 Jun 2026 23:45:03 +0200
Subject: [PATCH 2/2] test: add unit tests for `setScriptSrc` with Trusted
 Types support

---
 src/setScriptSrc.test.ts | 102 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 95 insertions(+), 7 deletions(-)

diff --git a/src/setScriptSrc.test.ts b/src/setScriptSrc.test.ts
index 4f2ffbe6..2926ada0 100644
--- a/src/setScriptSrc.test.ts
+++ b/src/setScriptSrc.test.ts
@@ -1,11 +1,99 @@
-/*
- * Copyright 2025 Google LLC
- * SPDX-License-Identifier: Apache-2.0
+/**
+ * @jest-environment node
+ *
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
-// @jest-environment node
-describe("setScriptSrc(): SSR safety", () => {
-  it("should be importable when window is not available", async () => {
-    await expect(import("./setScriptSrc.js")).resolves.toBeDefined();
+import { jest } from "@jest/globals";
+
+type TrustedTypesStub = {
+  createPolicy: jest.Mock;
+};
+
+declare global {
+  // Node does not provide this, but tests attach a stub.
+  var trustedTypes: TrustedTypesStub | undefined;
+}
+
+describe("setScriptSrc()", () => {
+  beforeEach(() => {
+    jest.resetModules();
+    jest.clearAllMocks();
+
+    // make sure these tests are running without a window-instance
+    if (typeof window !== "undefined") {
+      throw new Error("Expected Node test environment without window.");
+    }
+  });
+
+  afterEach(() => {
+    globalThis.trustedTypes = undefined;
+  });
+
+  it("falls back to a plain string when Trusted Types are not available", async () => {
+    globalThis.trustedTypes = undefined;
+
+    const { setScriptSrc } = await import("./setScriptSrc.js");
+    const script = { src: "" } as HTMLScriptElement;
+
+    setScriptSrc(script, "https://maps.googleapis.com/maps/api/js");
+
+    expect(script.src).toBe("https://maps.googleapis.com/maps/api/js");
+  });
+
+  it("creates and uses a Trusted Types policy when available", async () => {
+    const createScriptURL = jest.fn((url: string) => `tt:${url}`);
+    const createPolicy = jest.fn(() => ({ createScriptURL }));
+
+    globalThis.trustedTypes = {
+      createPolicy,
+    };
+
+    const { setScriptSrc } = await import("./setScriptSrc.js");
+    const script = { src: "" } as HTMLScriptElement;
+
+    setScriptSrc(script, "https://maps.googleapis.com/maps/api/js");
+
+    expect(createPolicy).toHaveBeenCalledTimes(1);
+    expect(createPolicy).toHaveBeenCalledWith(
+      "@googlemaps/js-api-loader",
+      expect.objectContaining({
+        createScriptURL: expect.any(Function),
+      })
+    );
+    expect(createScriptURL).toHaveBeenCalledWith(
+      "https://maps.googleapis.com/maps/api/js"
+    );
+    expect(script.src).toBe("tt:https://maps.googleapis.com/maps/api/js");
+  });
+
+  it("falls back when policy creation fails", async () => {
+    const createPolicy = jest.fn(() => {
+      throw new Error("policy denied");
+    });
+
+    globalThis.trustedTypes = {
+      createPolicy,
+    };
+
+    const { setScriptSrc } = await import("./setScriptSrc.js");
+    const script = { src: "" } as HTMLScriptElement;
+
+    setScriptSrc(script, "https://maps.googleapis.com/maps/api/js");
+
+    expect(createPolicy).toHaveBeenCalledTimes(1);
+    expect(script.src).toBe("https://maps.googleapis.com/maps/api/js");
   });
 });