Trusted Types
What is Trusted Types?
Trusted TypesBrowser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings.
Trusted Types is a defence designed by Google and standardised in the W3C to eliminate DOM-based XSS. When enabled via the require-trusted-types-for and trusted-types CSP directives, the browser refuses to execute sinks like innerHTML, document.write, eval, or script.src when they receive a plain string. Code must instead build typed objects (TrustedHTML, TrustedScript, TrustedScriptURL) through named, audited policies. This forces all unsafe DOM writes through a small, reviewable surface and removes most legacy XSS sinks from the equation. It is widely deployed at Google, Bing, Shopify, and other large web properties.
● Examples
- 01
Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default;
- 02
Replacing element.innerHTML = userInput with element.innerHTML = policy.createHTML(userInput).
● Frequently asked questions
What is Trusted Types?
Browser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings. It belongs to the Application Security category of cybersecurity.
What does Trusted Types mean?
Browser API and CSP directive that prevents DOM-based XSS by requiring dangerous DOM sinks to receive typed, policy-vetted values instead of raw strings.
How does Trusted Types work?
Trusted Types is a defence designed by Google and standardised in the W3C to eliminate DOM-based XSS. When enabled via the require-trusted-types-for and trusted-types CSP directives, the browser refuses to execute sinks like innerHTML, document.write, eval, or script.src when they receive a plain string. Code must instead build typed objects (TrustedHTML, TrustedScript, TrustedScriptURL) through named, audited policies. This forces all unsafe DOM writes through a small, reviewable surface and removes most legacy XSS sinks from the equation. It is widely deployed at Google, Bing, Shopify, and other large web properties.
How do you defend against Trusted Types?
Defences for Trusted Types typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- appsec№ 773
Output Encoding
Transforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code.
- appsec№ 982
Secure Coding
The practice of writing source code in ways that minimize security defects, following defensive patterns, language-specific rules and recognized guidelines.
- appsec№ 538
Input Validation
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.
- appsec№ 496
HTTP Security Headers
Response headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls.
● See also
- № 516iframe sandbox