DOM-based XSS Injection Sinks Detection with Trusted Types and Content Security Policy with report-uri

When you use Trusted Types, and a plain string is passed to a so-called sink like the innerHTML or the document.write() method without it being escaped by the Trusted Types policy, a report is generated by the browser. If the policy is enforced, the string will not be passed to the sink, protecting your app against DOM-based cross-site scripting (XSS) attacks.

However, when starting with Trusted Types, you may want to first check how many of those sinks you're actually using, so you can plan ahead and fix the violations before they break your app. With the following Content-Security-Policy-Report-Only header, your app or website will continue to work normally, but you'll receive a report whenever something uses a sink.

The CSPRO (CSP Report-Only) response header:

Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri

DOM-based XSS

show the code

Related specs & documents