CSP: trusted-types

The HTTP Content-Security-Policy (CSP) trusted-types directive instructs user agents to restrict usage of known DOM XSS sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings. This allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares a white-list of trusted type policy names created with TrustedTypes.createPolicy from Trusted Types API.

Syntax

Content-Security-Policy: trusted-types;
Content-Security-Policy: trusted-types <policyName>;
Content-Security-Policy: trusted-types <policyName> <policyName> 'allow-duplicates';
<DOMString>
Any string can be a Trusted Type policy name.
'allow-duplicates'
Allows for creating policies with a name that was already used

Examples

TODO

Polyfill

A polyfill for Trusted Types is available on Github.

Specifications

Specification Status Comment
Trusted Types Draft Initial definition.

Browser compatibility

DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
trusted-types
Experimental
Chrome Full support 83
Full support 83
No support 73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge ? Firefox No support NoIE No support NoOpera No support NoSafari No support NoWebView Android Full support 83Chrome Android Full support 83
Full support 83
No support 73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android No support NoSafari iOS No support NoSamsung Internet Android No support No

Legend

Full support
Full support
No support
No support
Compatibility unknown
Compatibility unknown
Experimental. Expect behavior to change in the future.
Experimental. Expect behavior to change in the future.
User must explicitly enable this feature.
User must explicitly enable this feature.

See also