The HTTP Content-Security-Policy
(CSP) trusted-types
directive instructs user agents to restrict usage of known DOM XSS sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings. This allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares a white-list of trusted type policy names created with TrustedTypes.createPolicy
from Trusted Types API.
Syntax
Content-Security-Policy: trusted-types; Content-Security-Policy: trusted-types <policyName>; Content-Security-Policy: trusted-types <policyName> <policyName> 'allow-duplicates';
- <DOMString>
- Any string can be a Trusted Type policy name.
'allow-duplicates'
- Allows for creating policies with a name that was already used
Examples
TODO
Polyfill
A polyfill for Trusted Types is available on Github.
Specifications
Specification | Status | Comment |
---|---|---|
Trusted Types | Draft | Initial definition. |
Browser compatibility
The compatibility table on this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
trusted-types | Chrome
Full support
83
| Edge ? | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android Full support 83 | Chrome Android
Full support
83
| Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
Legend
- Full support
- Full support
- No support
- No support
- Compatibility unknown
- Compatibility unknown
- Experimental. Expect behavior to change in the future.
- Experimental. Expect behavior to change in the future.
- User must explicitly enable this feature.
- User must explicitly enable this feature.
See also
Content-Security-Policy
- Cross-Site Scripting (XSS)
- Google Developers: Intro to Trusted-Types
- Trusted Types with DOMPurify XSS sanitizer