Description
Author: @koto
Trusted Types enable writing web applications that are free from DOM-Based Cross-Site-Scripting (XSS), the most prevalent web application vulnerability.
DOM-Based XSS occurs when attacker-controlled values reach certain Web API functions, like Element.innerHTML which causes the execution of the attacker's JavaScript code. This pattern is common, especially in larger applications, and detecting it requires complex interprocedural data flow tracking in a dynamic language ( a[b] = c might actually be a vulnerability). Before Trusted Types adoption at Google, DOM-Based XSS accounted for >%50 of XSS reported to Google VRP.
Trusted Types lock down those execution sinks to only accept values that were created securely; either because they are static values in the code or because they were created through author-created policies. One can also create a default, catch-all policy, e.g. to sanitize HTML or programmatically control where the scripts can be loaded from.
The lockdown is controlled via CSP, which enables breakage-free rollouts with report-only mode, and gradual, backwards-compatible code migration - using the new APIs without locking down the execution sinks. In fact, about 60% of pages rendered by Chrome globally already use Trusted Types, likely via inclusion of Alphabet's libraries, whereas around 14% of the traffic enforces Trusted Types via CSP.
Altogether, Trusted Types enable both writing new applications that are XSS-free, and eliminating DOM-Based XSS from existing applications, with a track record from Microsoft, Meta and Alphabet adoptions. As a data point, Alphabet applications migrated to Trusted Types have 0 reported XSS against them and we only see these bugs in applications not yet migrated, which is a significant reduction. In 2018 Google VRP rewarded $360K for all XSSes, in 2022 it was $95K.
Specification
https://www.w3.org/TR/2022/WD-trusted-types-20220927/
Open Issues
No response
Tests
https://wpt.fyi/results/trusted-types
Current Implementations
Standards Positions
Firefox: mozilla/standards-positions#20
Safari: WebKit/standards-positions#186
Browser bug reports
Limited feedback, but https://bugs.chromium.org/p/chromium/issues/list?q=component%3ABlink%3ESecurityFeature%3ETrustedTypes&can=1
Developer discussions
Trusted Types rollouts - w3c
Trusted Types - mid 2021 report
Meta uses Trusted Types by default for new products, and rolls out TT enforcement in existing products (in 2022 they reported 50% already migrated).
MS uses Trusted Types for Edge integration applications (Bing Collections), and in Edge WebUI pages.
Integration of Trusted Types completed or ongoing for several libraries and frameworks (https://github.com/w3c/trusted-types/wiki/Integrations) - the page might be a bit outdated, e.g.
- TT are supported in Next.js
- TT are a top priority for the Angular framework, as it would allow them to move away from user space-level safe-value constructs.
Polls & Surveys
No response
Existing Usage
https://chromestatus.com/metrics/feature/timeline/popularity/3279 (60% of page loads create a Trusted Types Policy in main document, or a subframe)
https://chromestatus.com/metrics/feature/timeline/popularity/2724 (0.2% use a default Trusted Type policy)
https://chromestatus.com/metrics/feature/timeline/popularity/3160 (12.5% enforce Trusted Types via CSP)
https://chromestatus.com/metrics/feature/timeline/popularity/3161 (2.8% use a report-only Trusted Types CSP)
Workarounds
No response
Accessibility Impact
No response
Privacy Impact
No response
Other
No response
Description
Author: @koto
Trusted Types enable writing web applications that are free from DOM-Based Cross-Site-Scripting (XSS), the most prevalent web application vulnerability.
DOM-Based XSS occurs when attacker-controlled values reach certain Web API functions, like Element.innerHTML which causes the execution of the attacker's JavaScript code. This pattern is common, especially in larger applications, and detecting it requires complex interprocedural data flow tracking in a dynamic language ( a[b] = c might actually be a vulnerability). Before Trusted Types adoption at Google, DOM-Based XSS accounted for >%50 of XSS reported to Google VRP.
Trusted Types lock down those execution sinks to only accept values that were created securely; either because they are static values in the code or because they were created through author-created policies. One can also create a default, catch-all policy, e.g. to sanitize HTML or programmatically control where the scripts can be loaded from.
The lockdown is controlled via CSP, which enables breakage-free rollouts with report-only mode, and gradual, backwards-compatible code migration - using the new APIs without locking down the execution sinks. In fact, about 60% of pages rendered by Chrome globally already use Trusted Types, likely via inclusion of Alphabet's libraries, whereas around 14% of the traffic enforces Trusted Types via CSP.
Altogether, Trusted Types enable both writing new applications that are XSS-free, and eliminating DOM-Based XSS from existing applications, with a track record from Microsoft, Meta and Alphabet adoptions. As a data point, Alphabet applications migrated to Trusted Types have 0 reported XSS against them and we only see these bugs in applications not yet migrated, which is a significant reduction. In 2018 Google VRP rewarded $360K for all XSSes, in 2022 it was $95K.
Specification
https://www.w3.org/TR/2022/WD-trusted-types-20220927/
Open Issues
No response
Tests
https://wpt.fyi/results/trusted-types
Current Implementations
Standards Positions
Firefox: mozilla/standards-positions#20
Safari: WebKit/standards-positions#186
Browser bug reports
Limited feedback, but https://bugs.chromium.org/p/chromium/issues/list?q=component%3ABlink%3ESecurityFeature%3ETrustedTypes&can=1
Developer discussions
Trusted Types rollouts - w3c
Trusted Types - mid 2021 report
Meta uses Trusted Types by default for new products, and rolls out TT enforcement in existing products (in 2022 they reported 50% already migrated).
MS uses Trusted Types for Edge integration applications (Bing Collections), and in Edge WebUI pages.
Integration of Trusted Types completed or ongoing for several libraries and frameworks (https://github.com/w3c/trusted-types/wiki/Integrations) - the page might be a bit outdated, e.g.
Polls & Surveys
No response
Existing Usage
https://chromestatus.com/metrics/feature/timeline/popularity/3279 (60% of page loads create a Trusted Types Policy in main document, or a subframe)
https://chromestatus.com/metrics/feature/timeline/popularity/2724 (0.2% use a default Trusted Type policy)
https://chromestatus.com/metrics/feature/timeline/popularity/3160 (12.5% enforce Trusted Types via CSP)
https://chromestatus.com/metrics/feature/timeline/popularity/3161 (2.8% use a report-only Trusted Types CSP)
Workarounds
No response
Accessibility Impact
No response
Privacy Impact
No response
Other
No response