Content-Security-Policy: trusted-types directive
Baseline
2026
Newly available
Since February 2026, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.
The HTTP Content-Security-Policy (CSP) trusted-types directive is used to specify an allowlist of Trusted Type policy names that a website can create using trustedTypes.createPolicy().
This prevents website code from creating unexpected policies, making it easier to audit trusted type code (createPolicy() will throw an exception if it is passed a name which was not listed in trusted-types).
Note:
The require-trusted-types-for directive must be set to enable enforcement of trusted types, and the trusted-types-eval keyword is used to relax restrictions on eval() and Function() when trusted types are enabled.
See Trusted Type API for more information.
Syntax
Content-Security-Policy: trusted-types;
Content-Security-Policy: trusted-types 'none';
Content-Security-Policy: trusted-types <policyName>;
Content-Security-Policy: trusted-types <policyName> <policyName> 'allow-duplicates';
- <policyName>
-
A valid policy name consists only of alphanumeric characters, or one of
-#=_/@.%. A star (*) as a policy name instructs the user agent to allow any unique policy name (allow-duplicatesmay relax that further). 'none'-
Disallows creating any Trusted Type policy (same as not specifying any <policyName>).
'allow-duplicates'-
Allows for creating policies with a name that was already used.
Examples
// Content-Security-Policy: trusted-types foo bar 'allow-duplicates';
if (typeof trustedTypes !== "undefined") {
const policyFoo = trustedTypes.createPolicy("foo", {});
const policyFoo2 = trustedTypes.createPolicy("foo", {});
const policyBaz = trustedTypes.createPolicy("baz", {}); // Throws and dispatches a SecurityPolicyViolationEvent.
}
Specifications
| Specification |
|---|
| Trusted Types # trusted-types-csp-directive |