CSP: trusted-types
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Content-Security-Policy
(CSP) trusted-types
Experimental
directive instructs user agents to restrict the creation of Trusted Types policies - functions that build non-spoofable, typed values intended to be passed to DOM XSS sinks in place of strings.
Together with require-trusted-types-for
directive, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares an allowlist of trusted type policy names created with trustedTypes.createPolicy
from Trusted Types API.
Syntax
http
Content-Security-Policy: trusted-types;
Content-Security-Policy: trusted-types 'none';
Content-Security-Policy: trusted-types <policyName>;
Content-Security-Policy: trusted-types <policyName> <policyName> 'allow-duplicates';
- <policyName>
-
A valid policy name consists only of alphanumeric characters, or one of "
-#=_/@.%
". A star (*
) as a policy name instructs the user agent to allow any unique policy name ('allow-duplicates
' may relax that further). 'none'
-
Disallows creating any Trusted Type policy (same as not specifying any <policyName>).
'allow-duplicates'
-
Allows for creating policies with a name that was already used.
Examples
js
// Content-Security-Policy: trusted-types foo bar 'allow-duplicates';
if (typeof trustedTypes !== "undefined") {
const policyFoo = trustedTypes.createPolicy("foo", {});
const policyFoo2 = trustedTypes.createPolicy("foo", {});
const policyBaz = trustedTypes.createPolicy("baz", {}); // Throws and dispatches a SecurityPolicyViolationEvent.
}
Specifications
Specification |
---|
Trusted Types # trusted-types-csp-directive |
Browser compatibility
BCD tables only load in the browser