Trusted Types for DOM Manipulation

'Trusted Types' offers an (optional) mechanism for web sites to protect themselves against XSS (cross-site scripting) attacks.It limits the attack surface from potentially the entire code base to a handful of "policies" that a developer can implement and install, and whose usage the browser will then enforce. "Trusted types" then ensure that all risk-ful parts of the DOM can only be used by data that has gone through such a developer-supplied policy.

Comments

The intent-to-ship is presently paused. See the blink-dev thread for details.

Specification

Working draft or equivalent

Status in Chromium

Blink>SecurityFeature


Origin trial (tracking bug) in:

  • Chrome for desktop release 73
  • Chrome for Android release 73

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Mixed public signals
  • No public signals
  • No public signals
  • Positive

Owners

Intent to Prototype url

Intent to Prototype thread

Last updated on 2019-10-23