-
Notifications
You must be signed in to change notification settings - Fork 8
2025 Trusted Types
- GitHub issue: https://github.com/Igalia/webengineshackfest/issues/67
- URL: https://meet.jit.si/WEH2025-Trusted-Types
Some references:
- https://bkardell.com/blog/blessing-strings.html
- https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
Trusted types' goal is to preentn injections from attacker-controlled inputs. They can protect:
- HTML (
innerHTML,document.write, ...) - scripts (
eval,HTMLScriptElement, ...) - URLs (worker constructors, ...)
They can be created only with policies in CSP:
trusted-types policyName1 policyName2;-
require-trusted-types-for 'script';you can enable anenforcemode to make operations with untrusted types fail -
script-src 'trusted-type-eval';to enable eval inenforcemode
Chromium ships trusted types, but it should better align to the standard. WebKit enables them by defaylt, but Safari doesn't ship them. Gecko disables them by default and they're not shipped in Firefox.
One of the difficulties is also that libraries need to support trusted types. E.g., support needed to be added to libraries such as jQuery and Vue.
Also, this needs to become a default because it's more work for developers, which creates friction for adoption.
Q: Relationship with sanitizer APIs? A: They're not superseded by trusted types, there's still some use case for them (I didn't catch them, though).
Q: How do you enroll trusted types?
A: there are two modes: enforce and report. report is useful to see what problem you'd have, so that you can go and fix them, or adjust your policies.