CSP: trusted-types

The HTTP Content-Security-Policy (CSP) trusted-types directive instructs user agents to restrict usage of known DOM XSS sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings. This allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares a white-list of trusted type policy names created with TrustedTypes.createPolicy from Trusted Types API.

Syntax

Content-Security-Policy: trusted-types;
Content-Security-Policy: trusted-types <policyName>;
Content-Security-Policy: trusted-types <policyName> <policyName> 'allow-duplicates';

<DOMString>: Any string can be a Trusted Type policy name.
'allow-duplicates': Allows for creating policies with a name that was already used

Examples

TODO

Polyfill

A polyfill for Trusted Types is available on Github.

Specifications

Specification	Status	Comment
Trusted Types	Draft	Initial definition.

Browser compatibility

Update compatibility data on GitHub

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	Android webview	Chrome for Android	Firefox for Android	Opera for Android	Safari on iOS	Samsung Internet
`trusted-types` Experimental	Chrome Full support 83 Full support 83 No support 73 — 76 Disabled Disabled From version 73 until version 76 (exclusive): this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge ?	Firefox No support No	IE No support No	Opera No support No	Safari No support No	WebView Android Full support 83	Chrome Android Full support 83 Full support 83 No support 73 — 76 Disabled Disabled From version 73 until version 76 (exclusive): this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Firefox Android No support No	Opera Android No support No	Safari iOS No support No	Samsung Internet Android No support No

Legend

Full support: Full support
No support: No support
Compatibility unknown: Compatibility unknown
Experimental. Expect behavior to change in the future.: Experimental. Expect behavior to change in the future.
User must explicitly enable this feature.: User must explicitly enable this feature.