Trusted types
Trusted types allow you to lock down insecure parts of the DOM API and prevent client-side cross-site scripting (XSS) attacks. It is most useful when native HTML semantics or browser capabilities can replace custom implementation work.
Overview
Trusted types allow you to lock down insecure parts of the DOM API and prevent client-side cross-site scripting (XSS) attacks. It is most useful when native HTML semantics or browser capabilities can replace custom implementation work.
Browser support
| Feature | Desktop | Mobile | ||||
|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Safari | Chrome Android | Safari iOS | |
| 83 | 83 | 148 | 26 | 83 | 26 | |
innerHTML (enforces trusted types) Requires `TrustedHTML` instance when trusted types are enforced | 83 | 83 | 148 | 26 | 83 | 26 |
innerText (enforces trusted types) Requires `TrustedScript` instance when trusted types are enforced | 83 | 83 | 148 | 26 | 83 | 26 |
src (enforces trusted types) Requires `TrustedScriptURL` instance when trusted types are enforced | 83 | 83 | 148 | 26 | 83 | 26 |
text (enforces trusted types) Requires `TrustedScript` instance when trusted types are enforced. | 83 | 83 | 148 | 26 | 83 | 26 |
textContent (enforces trusted types) Requires `TrustedScript` instance when trusted types are enforced. | 83 | 83 | 148 | 26 | 83 | 26 |
code_param_enforces_trusted_types `code` parameter requires `TrustedScript` instance when trusted types are enforced. | 83 | 83 | 148 | 26 | 83 | 26 |
code_param_enforces_trusted_types `code` parameter requires `TrustedScript` instance when trusted types are enforced. | 83 | 83 | 148 | 26 | 83 | 26 |
innerHTML (enforces trusted types) Requires `TrustedHTML` instance when trusted types are enforced | 83 | 83 | 148 | 26 | 83 | 26 |
| The toJSON() method of the TrustedHTML interface returns a JSON representation of the stored data. | 90 | 90 | 148 | 26 | 90 | 26 |
| The toString() method of the TrustedHTML interface returns a string which may safely inserted into an injection sink. | 83 | 83 | 148 | 26 | 83 | 26 |
| The TrustedScript interface of the Trusted Types API represents a string with an uncompiled script body that a developer can insert into an injection sink that might execute the script. These objects are created via TrustedTypePolicy.createScript and therefore have no constructor. | 83 | 83 | 148 | 26 | 83 | 26 |
| The toJSON() method of the TrustedScript interface returns a JSON representation of the stored data. | 90 | 90 | 148 | 26 | 90 | 26 |
| The toString() method of the TrustedScript interface returns a string which may be safely inserted into an injection sink. | 83 | 83 | 148 | 26 | 83 | 26 |
| The TrustedScriptURL interface of the Trusted Types API represents a string that a developer can insert into an injection sink that will parse it as a URL of an external script. These objects are created via TrustedTypePolicy.createScriptURL and therefore have no constructor. | 83 | 83 | 148 | 26 | 83 | 26 |
| The toJSON() method of the TrustedScriptURL interface returns a JSON representation of the stored data. | 90 | 90 | 148 | 26 | 90 | 26 |
| The toString() method of the TrustedScriptURL interface returns a string which may safely inserted into an injection sink. | 83 | 83 | 148 | 26 | 83 | 26 |
| The TrustedTypePolicy interface of the Trusted Types API defines a group of functions which create TrustedType objects. | 83 | 83 | 148 | 26 | 83 | 26 |
| The createHTML() method of the TrustedTypePolicy interface creates a TrustedHTML object using a policy created by TrustedTypePolicyFactory.createPolicy(). | 83 | 83 | 148 | 26 | 83 | 26 |
| The createScript() method of the TrustedTypePolicy interface creates a TrustedScript object using a policy created by TrustedTypePolicyFactory.createPolicy(). | 83 | 83 | 148 | 26 | 83 | 26 |
| The createScriptURL() method of the TrustedTypePolicy interface creates a TrustedScriptURL object using a policy created by TrustedTypePolicyFactory.createPolicy(). | 83 | 83 | 148 | 26 | 83 | 26 |
| The name read-only property of the TrustedTypePolicy interface returns the name of the policy. | 83 | 83 | 148 | 26 | 83 | 26 |
| The TrustedTypePolicyFactory interface of the Trusted Types API creates policies and allows the verification of Trusted Type objects against created policies. | 83 | 83 | 148 | 26 | 83 | 26 |
| The createPolicy() method of the TrustedTypePolicyFactory interface creates a TrustedTypePolicy object that implements the rules passed as policyOptions. | 83 | 83 | 148 | 26 | 83 | 26 |
| The defaultPolicy read-only property of the TrustedTypePolicyFactory interface returns the default TrustedTypePolicy or null if this is empty. | 83 | 83 | 148 | 26 | 83 | 26 |
| The emptyHTML read-only property of the TrustedTypePolicyFactory interface returns a TrustedHTML object containing an empty string. | 83 | 83 | 148 | 26 | 83 | 26 |
| The emptyScript read-only property of the TrustedTypePolicyFactory interface returns a TrustedScript object containing an empty string. | 83 | 83 | 148 | 26 | 83 | 26 |
| The getAttributeType() method of the TrustedTypePolicyFactory interface allows web developers to check if a Trusted Type is required for an element, and if so which Trusted Type is used. | 83 | 83 | 148 | 26 | 83 | 26 |
| The getPropertyType() method of the TrustedTypePolicyFactory interface allows web developers to check if a Trusted Type is required for an element's property. | 83 | 83 | 148 | 26 | 83 | 26 |
| The isHTML() method of the TrustedTypePolicyFactory interface returns true if it is passed a valid TrustedHTML object. | 83 | 83 | 148 | 26 | 83 | 26 |
| The isScript() method of the TrustedTypePolicyFactory interface returns true if it is passed a valid TrustedScript object. | 83 | 83 | 148 | 26 | 83 | 26 |
| The isScriptURL() method of the TrustedTypePolicyFactory interface returns true if it is passed a valid TrustedScriptURL object. | 83 | 83 | 148 | 26 | 83 | 26 |
| The trustedTypes read-only property of the Window interface returns the TrustedTypePolicyFactory object associated with the global object, providing the entry point for using the Trusted Types API. | 83 | 83 | 148 | 26 | 83 | 26 |
| Other | ||||||
| The HTTP Content-Security-Policy (CSP) require-trusted-types-for directive instructs user agents to control the data passed to DOM XSS sink functions, like Element.innerHTML setter. | 83 | 83 | 148 | 26 | 83 | 26 |
| The HTTP Content-Security-Policy (CSP) trusted-types directive is used to specify an allowlist of Trusted Type policy names that a website can create using trustedTypes.createPolicy(). | 83 | 83 | 148 | 26 | 83 | 26 |
Syntax
<meta http-equiv="Content-Security-Policy"
content="require-trusted-types-for 'script'">
<script>
const policy = trustedTypes.createPolicy('default', {
createHTML: (input) => DOMPurify.sanitize(input)
});
el.innerHTML = policy.createHTML(userInput);
</script>Use cases
Strengthen integration
Use Trusted types when browser APIs need clearer security boundaries or more explicit capabilities.
Connect platform features
Apply Trusted types when your app benefits from deeper browser or device integration.
Cautions
- Test Trusted types in your target browsers and input environments before depending on it as a primary behavior.
- Provide a fallback path or acceptable degradation strategy when support is still limited.
Accessibility
- Make sure Trusted types supports the intended task without making the page harder to perceive, understand, or operate.
Related links
Powered by web-features