W3cubDocs

/HTTP

CSP: trusted-types

The HTTP Content-Security-Policy (CSP) trusted-types directive instructs user agents to restrict the creation of Trusted Types policies - functions that build non-spoofable, typed values intended to be passed to DOM XSS sinks in place of strings.

Together with require-trusted-types-for directive, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares an allow-list of trusted type policy names created with TrustedTypes.createPolicy from Trusted Types API.

Syntax

Content-Security-Policy: trusted-types;
Content-Security-Policy: trusted-types 'none';
Content-Security-Policy: trusted-types <policyName>;
Content-Security-Policy: trusted-types <policyName> <policyName> 'allow-duplicates'; 
<policyName>
A valid policy name consists only of alphanumeric characters, or one of "-#=_/@.%". A star (*) as a policy name instructs the user agent to allow any unique policy name ('allow-duplicates' may relax that further).
'none'
Disallows creating any Trusted Type policy (same as not specifying any <policyName>).
'allow-duplicates'
Allows for creating policies with a name that was already used.

Examples

// Content-Security-Policy: trusted-types foo bar 'allow-duplicates';

if (typeof trustedTypes !== 'undefined') {
  const policyFoo = trustedTypes.createPolicy('foo', {});
  const policyFoo2 = trustedTypes.createPolicy('foo', {});
  const policyBaz = trustedTypes.createPolicy('baz', {}); // Throws and dispatches a SecurityPolicyViolationEvent.
}

Polyfill

A polyfill for Trusted Types is available on Github.

Specifications

Specification Status Comment
Trusted Types Draft Initial definition.

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
trusted-types 83
83
73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
? No No No No
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
trusted-types 83 83
83
73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No No No No

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types