Trusted Types for DOM Manipulation

'Trusted Types' offers an (optional) mechanism for web sites to protect themselves against XSS (cross-site scripting) attacks.It limits the attack surface from potentially the entire code base to a handful of "policies" that a developer can implement and install, and whose usage the browser will then enforce. "Trusted types" then ensure that all risk-ful parts of the DOM can only be used by data that has gone through such a developer-supplied policy. Release is expected in Chrome 82.

Demo

Documentation

Specification

Working draft or equivalent

Status in Chromium

Blink>SecurityFeature


Enabled by default (tracking bug) in:

  • Chrome for desktop release 83
  • Chrome for Android release 83

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Mixed public signals
  • No public signals
  • No public signals
  • Positive

Owners

Intent to Prototype url

Intent to Prototype thread

Last updated on 2020-04-01