[webkit-dev] Request for Position: Trusted Types

Patrick Griffis pgriffis at igalia.com
Tue Mar 29 10:05:40 PDT 2022

Hi everybody,

I'd like input on the Trusted Types API[0].

It is a set of APIs intended to protect against DOM-based XSS attacks.
It changes various APIs to not accept arbitrary strings, for example
`element.innerHTML` can only be assigned a `TrustedHTML` object. These
are also policies controllable by Content-Security-Policy[1].

It has been implemented by Chromium 83+ (May 2020). There is a polyfill
for everything else[2].

This would be a moderately large task that Igalia would consider
starting in H2 if there is consensus on this.


[0] https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
[2] https://github.com/w3c/webappsec-trusted-types#polyfill

More information about the webkit-dev mailing list