
A browser API to prevent DOM-Based Cross Site Scripting in modern web applications.

Primary LanguageJavaScriptOtherNOASSERTION

![npm bundlesize(https://img.shields.io/bundlephobia/minzip/trusted-types.svg[Libraries.io dependency status lforlatestrelease(https://img.shields.io/librariesio/release/npm/trustdltpes.svg[GitHubissues(https://img.shields.io/github/issues/w3c/truste-types.svg[npm(https://img.shields.io/npm/v/trustedtypes.svg[BrowserStacklStatus(https://www.browserstack.com/automate/badge.svgbadge_key=eGZQNXU1U09vZjkrZzYzU3YrQ2FsbUpheGczR0VmMTZUSjBydnNjd1pKTT0tLTZPMWVJTnU1UHvYjFCb0pHQmlsaXc9PQ%3d%3d295829245abf0dd0cd150f9ca4fe3198da38747b(https://www.browserstack.com/

automate/publicbuild/eGZQNXU1U09vZjkrZzYzU3YrQ2FsbUpheGczR0VmMTZUSjBydnNjd1pKTT0tLTZPMWVJTnU1UHJvYjFCb0pHQmlsaXc9PQ%3d%3d-295829245abf0dd0cd150f9ca4fe3198da38747b) https://www.browserstack.com/automate/publicbuild/eGZQNXU1U09vZjkrZzYzU3YrQ2FsbUpheGczR0VmMTZUSjBydnNjd1pKTT0tLTZPMWVJTnU1UHJvYjFCb0pHQmlsaXc9PQ%3d%3d 295829245abf0dd0cd150f9ca4fe3198da38747 # Trusted Types First time here? This is a repository hosting the Trusted Typesspecification draft and the polyfill code. You might want to check out other resources about Trusted Types: * Introduction for web developers - API description with examples. * Explainer - introductory explainer (what problem is the API solving?). * Specification draft - a more comprehensive and formalized description of the Trusted Types API. * Browser Support - The API is available natively in browsers based on Chromium version 83 and up.

Polyfill This repository contains a polyfill implementation that allows you to use the API in all web browsers. The compiled versions are stored in dist directory. ### Browsers

The ES5 / ES6 builds can be loaded directly in the browsers. There are two variants of the browser polyfill - api_only (light) and full. The api_only variant defines the API, so you can create policies and types. Full version also enables the type enforcement in the DOM, based on the CSP policy it infers from the current document (see src/polyfill/full.js).

<!-- API only -->
<script src="https://w3c.github.io/webappsec-trusted-types/dist/es5/trustedtypes.api_only.build.js"></script>
     const p = trustedTypes.createPolicy('foo', ...)
     document.body.innerHTML = p.createHTML('foo'); // works
     document.body.innerHTML = 'foo'; // but this one works too (no enforcement).
```html<!-- Full --><script src="https://w3c.github.io/webappsec-trusted-types/dist/es5/trustedtypes.build.js" data-csp="trusted-types foo bar; require-trusted-types-for 'script'"></script>
<script>trustedTypes.createPolicy('foo', ...);
    trustedTypes.createPolicy('unknown', ...); // throws
    document.body.innerHTML = 'foo'; // throws</script>


Polyfill is published as an npm package trusted-types:

$ npm install trusted-types

The polyfill supports both CommonJS and ES Modules.

const tt = require('trusted-types'); // or import { trustedTypes } from 'trusted-types'

Tinyfill Due to the way the API is designed, it's possible to polyfill the most important

API surface (trustedTypes.createPolicy function) with the following snippet:

if(typeof trustedTypes ==  'undefined')trusted
Types={createPolicy:(n, rules) => rules};

It does not enable the enforcement, but allows the creation of policies that return string values instead of Trusted Types in non-supporting browsers. Since the injection sinks in those browsers accept strings, the values will be accepted unless the policy throws an error. This tinyfill code allows most applications to work in both Trusted-Type-enforcing and a legacy environment.

Building To build the polyfill yourself (Java required):

$ git clone https://github.com/w3c/webappsec-trusted-types/
$ cd trusted-types
$ npm install
$ npm run build


To see the polyfill in action, visit the demo page.


It can be tested by running:

$ npm test

The polyfill can also be run against the web platform test suite, but that requires small patches to the suite - see tests/platform-tests/platform-tests-runner.sh. Cross-browser testing provided by BrowserStack. BrowserStack # Contributing See CONTRIBUTING. # Questions? Our wiki or the specification may already contain an answer to your question. If not, please contact us!