Prevent DOM-based XSS with Trusted Types and Content Security Policy with report-uri

With Trusted Types enabled, when a plain string is passed to a so-called sink like the innerHTML or the document.write() method without it being escaped by the Trusted Types policy, a report is generated by the browser. Because the policy is enforced, the string will not actually be passed to the sink, protecting your app against DOM-based cross-site scripting (XSS) attacks.

The CSP response header:

Content-Security-Policy: require-trusted-types-for 'script'; report-uri

Trusted Types with a custom policy

#html sink: / #xss sink:

show the code

The #html sink: The #xss sink:

Related specs & documents