CSP: trusted-types

您正在阅读此内容的英文版本,因为该语系尚未翻译。 帮助我们翻译此文章吧!

The HTTP Content-Security-Policy (CSP) trusted-types  directive instructs user agents to restrict usage of known DOM XSS sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings. This allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares a white-list of trusted type policy names created with TrustedTypes.createPolicy from Trusted Types API.

Syntax

Content-Security-Policy: trusted-types *;
Content-Security-Policy: trusted-types <policyName>;
Content-Security-Policy: trusted-types <policyName> <policyName>; 
*
Allows for creating policies with any name, including policies with a name that was already used.
<DOMString>
Any string can be a Trusted Type policy name.

Examples

TODO

Specifications

Specification Status Comment
Trusted Types Draft Initial definition.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
trusted-types
Experimental
Chrome ?
?
No support 73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera No support NoSafari No support NoWebView Android No support NoChrome Android ?
?
No support 73 — 76
Disabled
Disabled From version 73 until version 76 (exclusive): this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android No support NoSafari iOS No support NoSamsung Internet Android No support No

Legend

No support  
No support
Compatibility unknown  
Compatibility unknown
Experimental. Expect behavior to change in the future.
Experimental. Expect behavior to change in the future.
User must explicitly enable this feature.
User must explicitly enable this feature.

See also