require-trusted-types-for
Content-Security-Policy Document

Overview

require-trusted-types-for forbids assigning raw strings to dangerous DOM sinks (innerHTML, script.src, eval, etc.), requiring Trusted Types objects instead. Specifying 'script' structurally blocks DOM-based XSS (sink injection).

Details

Traditional CSP (script-src, etc.) blocks resource loading and inline execution but cannot fully stop client-side DOM XSS like element.innerHTML = untrustedString. Enabling require-trusted-types-for 'script' makes the browser reject raw-string assignments to dangerous DOM sinks, permitting only TrustedHTML, TrustedScript, and TrustedScriptURL objects that passed a developer-defined Trusted Types policy. This funnels risky data through a single choke point (the policy function), concentrating audit and sanitization there.

This directive pairs with the trusted-types directive (which lists allowed policy names). On adoption, existing code that writes strings directly to DOM sinks throws exceptions everywhere, so a realistic path is to collect violations in Report-Only mode, identify refactor points, and enforce gradually. Support is currently centered on Chromium-based browsers.

Syntax

Content-Security-Policy: require-trusted-types-for 'script'

Notes

Related directives