What it is
Trusted Types is a browser security feature that locks down dangerous DOM injection points so they refuse plain strings. Instead they only accept special typed objects produced by a policy you control.
The problem it solves
DOM XSS comes from passing attacker strings to injection sinks like innerHTML, script src, or document write. Auditing every sink is fragile. Trusted Types moves the check to the browser.
How it works
- You enable it with the require trusted types for CSP directive.
- You define a named policy with a create HTML function that sanitizes input.
- The policy returns a TrustedHTML object that the sink will accept.
- Any raw string passed to a sink now throws.
Why it is strong
It converts a sprawling audit problem into a small number of reviewed policies. Security review focuses only on the policy functions, which become the single choke point.
Key idea
Trusted Types makes DOM sinks reject raw strings so all dangerous assignments flow through a small set of reviewed policies.