Intent to prototype: Trusted Types

[Frédéric Wang]

Summary: An API that allows applications to lock down powerful APIs to
only accept non-spoofable, typed values in place of strings to prevent
vulnerabilities caused by using these APIs with attacker-controlled
inputs. Basic use case:

// CSP: require-trusted-types-for 'script'
const myTrustedTypesPolicy = trustedTypes.createPolicy("myPolicy", {
  createScript: value => myJSSanitizer(value)
});
let script = document.createElement("script");
script.text = unsafeCode; // blocked by CSP.
let trustedScript = myTrustedTypesPolicy.createScript(unsafeCode); //
create a Trusted Type wrapping the string returned by
myJSSanitizer(unsafeCode).
script.text = trustedScript; // not blocked by CSP.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1508286,
https://bugzilla.mozilla.org/show_bug.cgi?id=1845360
Specification:
  https://w3c.github.io/trusted-types/,
https://w3c.github.io/webappsec-csp/
  https://html.spec.whatwg.org/, https://dom.spec.whatwg.org/
  https://tc39.es/ecma262/
Standards Bodies: W3C, WhatWG, ECMA
Platform coverage: All platforms
Preference: dom.security.trusted_types.enabled
DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1935431
Link to standards-positions discussion:
https://github.com/mozilla/standards-positions/issues/20
Other browsers:
  Blink: Shipped
  WebKit: Shipped
web-platform-tests:
   - trusted_types/
   - script-src/script-src-trusted_types_*
   - content-security-policy/reporting/report-clips-sample.https.html

[Frédéric Wang]

Hola,

Igalia has been working on the implementation of Trusted Types for a
while, but it seems an intent to ship was never sent, so I just sent one.

While working on the implementation, we have made a big effort to
improve and extend test coverage. Currently, we are passing all the WPT
tests, except the ones for tentative features that are not part of the
spec: https://bugzilla.mozilla.org/show_bug.cgi?id=1939805#c7

Because Trusted Types require some extra checks in some APIs accepting
strings, there is a risk for performance regression in critical paths
(e.g. innerHTML setter). We have done our best to mitigate these issues
and at least speedometer looks good. Meta bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1936014

Trusted Types may potentially cause regression with Firefox's UA widgets
and web extensions content script, if they use any "powerful API" in a
page with Trusted Types enforcement enabled. We have detected some of
them and tried to address this issue by skipping Trusted Types checks in
these trusted places ; at this point it probably only remains edge
cases, but it's difficult to know exactly. Relevant bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1948227
https://bugzilla.mozilla.org/show_bug.cgi?id=1990732

Given the above points, the idea is to enable Trusted Types
incrementally and catch any potential regressions asap. As a first step,
we are tentatively enabling Trusted Types in nighly build today:
https://bugzilla.mozilla.org/show_bug.cgi?id=1955251

Frédéric Wang

[Frédéric Wang]

Le 29/09/2025 à 11:21, Frédéric Wang a écrit :
>

> Standards Bodies: W3C, WhatWG, ECMA

nit: I obviously meant TC39 here.