Trusted Types
Slap yourself if
You think Trusted Types is just another sanitizer or believe enabling it automatically fixes XSS.
Why this exists
Because Trusted Types is one of the strongest XSS mitigations available, yet teams either avoid it due to friction or deploy it without understanding the execution guarantees it enforces.
Mental model
Trusted Types moves XSS defense from string inspection to type enforcement. The browser refuses to execute dangerous sinks unless the value was explicitly constructed by approved code.
- The browser enforces type checks on dangerous DOM sinks.
- Only values created via Trusted Types policies are accepted.
- String-based injection paths are blocked at assignment time.
- Violations are runtime errors, not silent failures.
- Treating Trusted Types as a sanitizer.
- Allowing a single global policy that bypasses all checks.
- Enabling report-only and never enforcing.
- Assuming it replaces CSP or output encoding.
Trusted Types is a browser-enforced mechanism that prevents DOM XSS by requiring explicit, policy-created values for dangerous sinks instead of raw strings.
- Calls it input sanitization.
- Thinks it works without CSP.
- Cannot name protected sinks.
- Assumes string coercion still works.
Deep dive
Requires Pro
Premium deep dives include more internals, more scars.