[webkit-dev] Request for Position: Trusted Types

Patrick Griffis pgriffis at igalia.com
Tue Mar 29 10:05:40 PDT 2022


Hi everybody,

I'd like input on the Trusted Types API[0].

It is a set of APIs intended to protect against DOM-based XSS attacks.
It changes various APIs to not accept arbitrary strings, for example
`element.innerHTML` can only be assigned a `TrustedHTML` object. These
are also policies controllable by Content-Security-Policy[1].

It has been implemented by Chromium 83+ (May 2020). There is a polyfill
for everything else[2].

This would be a moderately large task that Igalia would consider
starting in H2 if there is consensus on this.

Thanks,
Patrick

[0] https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
[1]
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types#browser_compatibility
[2] https://github.com/w3c/webappsec-trusted-types#polyfill


More information about the webkit-dev mailing list