Trusted Types
What is Trusted Types?
Trusted TypesBrowser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings.
Trusted Types is a defence designed by Google and standardised in the W3C to eliminate DOM-based XSS. When enabled via the require-trusted-types-for and trusted-types CSP directives, the browser refuses to execute sinks like innerHTML, document.write, eval, or script.src when they receive a plain string. Code must instead build typed objects (TrustedHTML, TrustedScript, TrustedScriptURL) through named, audited policies. This forces all unsafe DOM writes through a small, reviewable surface and removes most legacy XSS sinks from the equation. It is widely deployed at Google, Bing, Shopify, and other large web properties.
● Examples
- 01
Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default;
- 02
Replacing element.innerHTML = userInput with element.innerHTML = policy.createHTML(userInput).
● Frequently asked questions
What is Trusted Types?
Browser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings. It belongs to the Application Security category of cybersecurity.
What does Trusted Types mean?
Browser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings.
How do you defend against Trusted Types?
Defences for Trusted Types typically combine technical controls and operational practices, as detailed in the full definition above.