Trusted Types enable writing web applications that are free from DOM-Based Cross-Site-Scripting (XSS), the most prevalent web application vulnerability.
DOM-Based XSS occurs when attacker-controlled values reach certain Web API functions, like Element.innerHTML which causes the execution of the attacker's JavaScript code. This pattern is common, especially in larger applications, and detecting it requires complex interprocedural data flow tracking in a dynamic language ( a[b] = c might actually be a vulnerability). Before Trusted Types adoption at Google, DOM-Based XSS accounted for >%50 of XSS reported to Google VRP.
Trusted Types lock down those execution sinks to only accept values that were created securely; either because they are https://github.com/w3c/trusted-types/issues/347 or because they were created through author-created https://github.com/w3c/trusted-types/issues/347. One can also create a default, catch-all policy, e.g. to sanitize HTML or programmatically control where the scripts can be loaded from.
The lockdown is controlled via CSP, which enables breakage-free rollouts with report-only mode, and gradual, backwards-compatible code migration - using the new APIs without locking down the execution sinks. In fact, about 60% of pages rendered by Chrome globally already use Trusted Types, likely via inclusion of Alphabet's libraries, whereas around 14% of the traffic enforces Trusted Types via CSP.
Altogether, Trusted Types enable both writing new applications that are XSS-free, and eliminating DOM-Based XSS from existing applications, with a trackrecord from Microsoft, Meta and Alphabet adoptions. As a data point, Alphabet applications migrated to Trusted Types have 0 reported XSS against them and we only see these bugs in applications not yet migrated, which is a significant reduction. In 2018 Google VRP rewarded $360K for all XSSes, in 2022 it was $95K.
Meta uses Trusted Types by default for new products, and rolls out TT enforcement in existing products (in 2022 they reported 50% already migrated).
MS uses Trusted Types for Edge integration applications (Bing Collections), and in Edge WebUI pages.
TT are supported in Next.js
TT are a top priority for the Angular framework, as it would allow them to move away from user space-level safe-value constructs.
gsnedders
commented
1 week ago
Description
Trusted Types enable writing web applications that are free from DOM-Based Cross-Site-Scripting (XSS), the most prevalent web application vulnerability.
DOM-Based XSS occurs when attacker-controlled values reach certain Web API functions, like Element.innerHTML which causes the execution of the attacker's JavaScript code. This pattern is common, especially in larger applications, and detecting it requires complex interprocedural data flow tracking in a dynamic language ( a[b] = c might actually be a vulnerability). Before Trusted Types adoption at Google, DOM-Based XSS accounted for >%50 of XSS reported to Google VRP.
Trusted Types lock down those execution sinks to only accept values that were created securely; either because they are https://github.com/w3c/trusted-types/issues/347 or because they were created through author-created https://github.com/w3c/trusted-types/issues/347. One can also create a default, catch-all policy, e.g. to sanitize HTML or programmatically control where the scripts can be loaded from.
The lockdown is controlled via CSP, which enables breakage-free rollouts with report-only mode, and gradual, backwards-compatible code migration - using the new APIs without locking down the execution sinks. In fact, about 60% of pages rendered by Chrome globally already use Trusted Types, likely via inclusion of Alphabet's libraries, whereas around 14% of the traffic enforces Trusted Types via CSP.
Altogether, Trusted Types enable both writing new applications that are XSS-free, and eliminating DOM-Based XSS from existing applications, with a track record from Microsoft, Meta and Alphabet adoptions. As a data point, Alphabet applications migrated to Trusted Types have 0 reported XSS against them and we only see these bugs in applications not yet migrated, which is a significant reduction. In 2018 Google VRP rewarded $360K for all XSSes, in 2022 it was $95K.
Since 2023, Trusted Types is being upstreamed into HTML.
Specification
https://html.spec.whatwg.org/, references https://w3c.github.io/trusted-types/dist/spec/
Additional Signals
Standards Positions
Firefox: https://github.com/mozilla/standards-positions/issues/20 Safari: https://github.com/WebKit/standards-positions/issues/186
Browser bug reports
Limited feedback, but https://bugs.chromium.org/p/chromium/issues/list?q=component%3ABlink%3ESecurityFeature%3ETrustedTypes&can=1
Developer discussions
Trusted Types rollouts - w3c Trusted Types - mid 2021 report Trusted Types Interop 2024 proposal
Meta uses Trusted Types by default for new products, and rolls out TT enforcement in existing products (in 2022 they reported 50% already migrated). MS uses Trusted Types for Edge integration applications (Bing Collections), and in Edge WebUI pages.
Integration of Trusted Types completed or ongoing for several libraries and frameworks (https://github.com/w3c/trusted-types/wiki/Integrations) - the page might be a bit outdated, e.g.
TT are supported in Next.js TT are a top priority for the Angular framework, as it would allow them to move away from user space-level safe-value constructs.
Existing Usage
https://chromestatus.com/metrics/feature/timeline/popularity/3279 (60% of page loads create a Trusted Types Policy in main document, or a subframe) https://chromestatus.com/metrics/feature/timeline/popularity/2724 (0.2% use a default Trusted Type policy) https://chromestatus.com/metrics/feature/timeline/popularity/3160 (12.5% enforce Trusted Types via CSP) https://chromestatus.com/metrics/feature/timeline/popularity/3161 (2.8% use a report-only Trusted Types CSP)