Fix various tsec violations without use of policy

packages/next/client/dev/fouc.ts

@@ -1,9 +1,12 @@
+// This wrapper function is used to avoid raising a Trusted Types violation.
+const safeSetTimeout = (callback: () => void) => setTimeout(callback)
+
 // This function is used to remove Next.js' no-FOUC styles workaround for using
 // `style-loader` in development. It must be called before hydration, or else
 // rendering won't have the correct computed values in effects.
 export function displayContent(): Promise<void> {
   return new Promise((resolve) => {
-    ;(window.requestAnimationFrame || setTimeout)(function () {
+    ;(window.requestAnimationFrame || safeSetTimeout)(function () {
       for (
         var x = document.querySelectorAll('[data-next-hide-fouc]'),
           i = x.length;

packages/next/lib/recursive-delete.ts

@@ -1,9 +1,9 @@
 import { Dirent, promises } from 'fs'
 import { join, isAbsolute, dirname } from 'path'
-import { promisify } from 'util'
 import isError from './is-error'
 
-const sleep = promisify(setTimeout)
+const sleep = (timeout: number) =>
+  new Promise((resolve) => setTimeout(resolve, timeout))
 
 const unlinkPath = async (p: string, isDir = false, t = 1): Promise<void> => {
   try {

packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts

@@ -804,11 +804,18 @@ var focusSummary = {
 }
 
 function makeFocusableForeignObject() {
-  var fragment = document.createElement('div')
-  fragment.innerHTML =
-    '<svg><foreignObject width="30" height="30">\n      <input type="text"/>\n  </foreignObject></svg>'
+  // Constructs <foreignObject width="30" height="30"><input type="text"/></foreignObject>
+  // without raising a Trusted Types violation
+  var foreignObject = document.createElementNS(
+    'http://www.w3.org/2000/svg',
+    'foreignObject'
+  )
+  foreignObject.width.baseVal.value = 30
+  foreignObject.height.baseVal.value = 30
+  foreignObject.appendChild(document.createElement('input'))
+  foreignObject.lastChild.type = 'text'
 
-  return fragment.firstChild.firstChild
+  return foreignObject
 }
 
 function focusSvgForeignObjectHack(element) {

tsec-exemptions.json

@@ -1,8 +1,7 @@
 {
   "ban-element-innerhtml-assignments": [
     "packages/next/client/head-manager.ts",
-    "packages/next/client/script.tsx",
-    "packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts"
+    "packages/next/client/script.tsx"
   ],
   "ban-element-setattribute": [
     "packages/next/client/head-manager.ts",
@@ -12,9 +11,5 @@
   "ban-script-src-assignments": [
     "packages/next/client/route-loader.ts",
     "packages/next/client/script.tsx"
-  ],
-  "ban-window-stringfunctiondef": [
-    "packages/next/lib/recursive-delete.ts",
-    "packages/next/client/dev/fouc.ts"
   ]
 }