trusted-typestrusted-types defines the allowed list of policy names that can be created via the Trusted Types API. Each policy holds rules (sanitization logic) converting strings into safe objects like TrustedHTML, and this directive restricts which policy names may exist.
Its value lists permitted policy names (e.g., default dompurify). When trustedTypes.createPolicy(name, rules) is called with a name not on the list, the browser refuses to create the policy. Special keywords include 'none' (forbid any policy → effectively seal dangerous sinks entirely) and 'allow-duplicates' (allow creating multiple policies with the same name). A policy named default serves as the fallback automatically applied to sinks without a specified policy.
trusted-types works together with require-trusted-types-for 'script': the latter enforces 'no raw strings to dangerous sinks,' while the former defines the whitelist of trusted policies that may turn strings into safe objects. Minimizing the number of policies and restricting names prevents an attacker from creating an arbitrary policy to bypass protection, tightly narrowing the trust boundary for DOM-XSS defense.
Content-Security-Policy: trusted-types default dompurify 'allow-duplicates'