Trusted Types enforcement on YouTube
Alexander Bilyak
Hello everyone,
On behalf of the YouTube Security Team I would like to share that we are planning to start enforcing the Trusted Types security feature across YouTube starting July 25, 2024.
If your extension modifies HTML, and a user could use it on youtube.com, then we encourage you to follow these steps to check if your extensions are compatible and will operate properly after the feature enforcement:
Override response headers with the help of Chrome Developer tools. To do so, add the following to the local header overrides for youtube.com:
Content-Security-Policy: require-trusted-types-for 'script'Bypass YouTube's Service worker. To do so, open developer tools, navigate to the Application tab and select “Service workers” in the Application section. Check “Bypass for network” in the Service workers settings.
As a helping aid, you could enable automatic breakpoints on Trusted Type violations. By design Trusted Types will cause a runtime error if a Trusted Types violation is detected.
Test your extension workflows. You will get an error in Chrome DevTools Console if a Trusted Types violation will occur (as well as a breakpoint hit if you have enabled it).
If your extension code contains Trusted Types violations please follow this guide to resolve them. You may also want to check this list of frameworks and libraries that could help make your extension Trusted Types compliant (you may be using an old third-party library that’s worth updating).
Security of our users is always top priority for us, and we want to make sure that developers have enough time to perform necessary changes and adapt their extensions to the new security standards. That’s why we will start rolling out the change no earlier than July 25, 2024 so you can get prepared for the change.
Thanks,
| Alexander Bilyak | | Software Engineer | | abi...@google.com | | YouTube Security |