W3cubDocs

/HTTP

CSP: require-trusted-types-for

The HTTP Content-Security-Policy (CSP) require-trusted-types-for directive instructs user agents to control the data passed to DOM XSS sink functions, like Element.innerHTML setter.

When used, those functions only accept non-spoofable, typed values created by Trusted Type policies, and reject strings. Together with trusted-types directive, which guards creation of Trusted Type policies, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review.

Syntax

Content-Security-Policy: require-trusted-types-for 'script';
'script'
Disallows using strings with DOM XSS injection sink functions, and requires matching types created by Trusted Type policies.

Examples

// Content-Security-Policy: require-trusted-types-for 'script'; trusted-types foo;

const attackerInput = '<svg onload="alert(/cross-site-scripting/)" />';
const el = document.createElement('div');

if (typeof trustedTypes !== 'undefined') {
  // Create a policy that can create TrustedHTML values 
  // after sanitizing the input strings with DOMPurify library.
  const sanitizer = trustedTypes.createPolicy('foo', {
    createHTML: (input) => DOMPurify.sanitize(input)
  });

  el.innerHTML = sanitizer.createHTML(attackerInput);  // Puts the sanitized value into the DOM.
  el.innerHTML = attackerInput;                        // Rejects a string value; throws a TypeError.
}

Polyfill

A polyfill for Trusted Types is available on Github.

Specifications

Specification Status Comment
Trusted Types Draft Initial definition.

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
trusted-types 83
83
73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
? No No No No
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
trusted-types 83 83
83
73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No No No No

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for