Locking down dangerous sinks
Trusted types is a browser mechanism that stops dom based cross site scripting at its source. Many injection bugs flow into a small set of dangerous sinks such as inner HTML and script src. Trusted types makes those sinks reject plain strings and accept only values produced by a vetted policy.
- It identifies the dangerous dom sinks.
- It requires a trusted typed object at each sink.
- Plain string assignment throws instead of executing.
How policies create safe values
You enforce trusted types through a content security policy directive. Then code that needs to write to a sink must route the string through a named policy whose function sanitizes or vouches for the value, returning a trusted object. This centralizes every risky write into a few audited functions.
- A policy function returns a trusted html or script value.
- Every sink write must come from such a policy.
- Auditing shrinks to reviewing the policy functions.
By turning a whole bug class into a type error, trusted types catches mistakes that scattered manual encoding would miss.
Key idea
Trusted types forces dangerous dom sinks to accept only values vetted by a named policy, turning dom injection into a type error.