1. Web
  2. Web APIs
  3. TrustedTypePolicyFactory

TrustedTypePolicyFactory

Baseline 2026
Newly available

Since February 2026, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.

Note: This feature is available in Web Workers.

The TrustedTypePolicyFactory interface of the Trusted Types API creates policies and allows the verification of Trusted Type objects against created policies.

Instance properties

TrustedTypePolicyFactory.emptyHTML Read only

Returns a TrustedHTML object containing an empty string.

TrustedTypePolicyFactory.emptyScript Read only

Returns a TrustedScript object containing an empty string.

TrustedTypePolicyFactory.defaultPolicy Read only

Returns the default TrustedTypePolicy or null if this is empty.

Instance methods

TrustedTypePolicyFactory.createPolicy()

Creates a TrustedTypePolicy object that implements the rules passed as policyOptions.

TrustedTypePolicyFactory.isHTML()

When passed a value checks that it is a valid TrustedHTML object.

TrustedTypePolicyFactory.isScript()

When passed a value checks that it is a valid TrustedScript object.

TrustedTypePolicyFactory.isScriptURL()

When passed a value checks that it is a valid TrustedScriptURL object.

TrustedTypePolicyFactory.getAttributeType()

Allows web developers to check whether a Trusted Type is required for an element and attribute, and if so which one.

TrustedTypePolicyFactory.getPropertyType()

Allows web developers to check whether a Trusted Type is required for a property, and if so which one.

Examples

The below code creates a policy with the name "myEscapePolicy" with a function defined for createHTML() which sanitizes HTML.

We then use the policy to sanitize a string, creating a TrustedHTML object, escaped. This object can be tested with isHTML() to ensure that it was created by one of our policies.

js
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace(/</g, "&lt;"),
});

const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>");

console.log(trustedTypes.isHTML(escaped)); // true;

Specifications

Specification
Trusted Types
# trusted-type-policy-factory

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content