您正在阅读此内容的英文版本,因为该语系尚未翻译。 帮助我们翻译此文章吧!
The HTTP Content-Security-Policy
(CSP) trusted-types
directive instructs user agents to restrict usage of known DOM XSS sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings. This allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares a white-list of trusted type policy names created with TrustedTypes.createPolicy
from Trusted Types API.
Syntax
Content-Security-Policy: trusted-types *; Content-Security-Policy: trusted-types <policyName>; Content-Security-Policy: trusted-types <policyName> <policyName>;
- *
- Allows for creating policies with any name, including policies with a name that was already used.
- <DOMString>
- Any string can be a Trusted Type policy name.
Examples
TODO
Specifications
Specification | Status | Comment |
---|---|---|
Trusted Types | Draft | Initial definition. |
Browser compatibility
The compatibility table on this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
trusted-types | Chrome
?
| Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android
?
| Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
Legend
- No support
- No support
- Compatibility unknown
- Compatibility unknown
- Experimental. Expect behavior to change in the future.
- Experimental. Expect behavior to change in the future.
- User must explicitly enable this feature.
- User must explicitly enable this feature.