← All Tools

Trusted Types Policy Generator

Trusted Types kills DOM XSS by making it a CSP violation to assign a plain string to a dangerous sink like .innerHTML, document.write, eval, or <script src>. Strings must come from a named policy you create with trustedTypes.createPolicy(name, rules). Configure the header and the policy code below.

Enforcement mode

Start with Content-Security-Policy-Report-Only while you find every violating sink, then flip to enforcing.

Sinks to lock down

'script' (innerHTML, etc.)

Currently only 'script' is defined in the spec. The directive shape allows future values like 'plugin'.

Allowed policy names

Space-separated list of names that trustedTypes.createPolicy(name, …) may register. Use 'none' to forbid all policies, or 'allow-duplicates' to allow the same policy name to be created more than once.

Wildcards & specials

* (any policy name) 'allow-duplicates' Include 'default' in list 'none' (forbid all)

'default' is a special policy name — see "Default fallback" below.

Report-To group

Optional. Adds report-to to the CSP and emits a paired Report-To header so violations are uploaded to your endpoint.

Extras

Also emit <meta> form Generate default fallback policy Include violation reporter snippet Use DOMPurify in createHTML

CSP header

Policy code (drop into your bundle, run before any user code)

Support: Shipped in Chrome 83 / Edge 83 (May 2020). Firefox 134 ships behind dom.security.trusted_types.enabled. Safari does not yet implement Trusted Types — feature-detect with 'trustedTypes' in window and supply a tt polyfill (@github/template-tags, trusted-types/types) for the gap. checking…

Sinks Trusted Types protects

Type	Sinks (assigning a plain string throws)	Required wrapper
TrustedHTML	`el.innerHTML`, `el.outerHTML`, `document.write`, `document.writeln`, `iframe.srcdoc`, `DOMParser.parseFromString`, `Range.createContextualFragment`, `el.insertAdjacentHTML`	`trustedTypes.createPolicy(name, { createHTML })`
TrustedScript	`el.text` on `<script>`, `el.innerText`/`textContent` on `<script>`, inline event handlers, `eval()`, `Function()`, `setTimeout(string, …)`, `setInterval(string, …)`	`createScript`
TrustedScriptURL	`el.src` on `<script>`, `importScripts()`, `SharedWorker`, `Worker`, `ServiceWorker.register()`	`createScriptURL`

Rollout playbook

Inventory. Search your codebase for innerHTML, document.write, eval, dynamic script.src assignments. Note every library that touches them (jQuery's $.html(), Lit's unsafeHTML, etc.).
Ship Report-Only. Deploy the CSP-Report-Only header with a report-to endpoint and collect violations from real users for a week. Don't ship the default policy yet — let everything fail loudly so you see it.
Wrap sinks library-by-library. Create one policy per library (app-html, jquery, lit, …). Sanitize inside createHTML with DOMPurify or equivalent.
Add a default policy as a guard. Once you're close to clean, ship the default policy that logs + sanitizes anything still slipping through. It buys safety while you finish migrating.
Flip to enforcing. Remove -Report-Only. The default policy stays as a belt-and-braces layer.
Watch for new sinks. Trusted Types only protects sinks that are defined — new spec additions land enforced. Re-run the inventory periodically.