Prevent DOM-based XSS with Trusted Types and Content Security Policy with report-uri

Once Trusted Types are enabled, then when a plain string is being passed to a so-called sink like the innerHTML or the document.write() method without it being escaped by the Trusted Types policy, a report is generated by the browser. The string will not actually be passed to the sink, if the policy is enforced. This will protect your app against DOM-based cross-site scripting (XSS) attacks.

However, you may need to update your application to call the policy.createHTML() method when assigning data to a sink like the innerHTML property. But you can also create a policy called default, which will be automatically called whenever a string is used in a sink that only accepts Trusted Types.

The CSP response header:

Content-Security-Policy: require-trusted-types-for 'script'; report-uri https://hoyt.has.report/report

Trusted Types with a default policy

#html sink:

show the code

The #html sink:

Related specs & documents