Newly available Useful in modern browsers, but confirm support before making it a core requirement.

Trusted types

The trustedTypes read-only property of the Window interface returns the TrustedTypePolicyFactory object associated with the global object, providing the entry point for using the Trusted Types API.

Security and APIsSecurity

Browser support

Feature Desktop Mobile
Chrome
Edge
Firefox
Safari
Chrome Android
Safari iOS
trustedTypes
83
83
148
26
83
26
innerHTML (enforces trusted types)

Requires `TrustedHTML` instance when trusted types are enforced
83
83
148
26
83
26
innerText (enforces trusted types)

Requires `TrustedScript` instance when trusted types are enforced
83
83
148
26
83
26
src (enforces trusted types)

Requires `TrustedScriptURL` instance when trusted types are enforced
83
83
148
26
83
26
text (enforces trusted types)

Requires `TrustedScript` instance when trusted types are enforced.
83
83
148
26
83
26
textContent (enforces trusted types)

Requires `TrustedScript` instance when trusted types are enforced.
83
83
148
26
83
26
code_param_enforces_trusted_types

`code` parameter requires `TrustedScript` instance when trusted types are enforced.
83
83
148
26
83
26
code_param_enforces_trusted_types

`code` parameter requires `TrustedScript` instance when trusted types are enforced.
83
83
148
26
83
26
innerHTML (enforces trusted types)

Requires `TrustedHTML` instance when trusted types are enforced
83
83
148
26
83
26
TrustedHTML

The TrustedHTML interface of the Trusted Types API represents a string that a developer can insert into an injection sink that will render it as HTML. These objects are created via TrustedTypePolicy.createHTML() and therefore have no constructor.
83
83
148
26
83
26
toJSON

The toJSON() method of the TrustedHTML interface returns a JSON representation of the stored data.
90
90
148
26
90
26
toString

The toString() method of the TrustedHTML interface returns a string which may safely inserted into an injection sink.
83
83
148
26
83
26
TrustedScript

The TrustedScript interface of the Trusted Types API represents a string with an uncompiled script body that a developer can insert into an injection sink that might execute the script. These objects are created via TrustedTypePolicy.createScript and therefore have no constructor.
83
83
148
26
83
26
toJSON

The toJSON() method of the TrustedScript interface returns a JSON representation of the stored data.
90
90
148
26
90
26
toString

The toString() method of the TrustedScript interface returns a string which may be safely inserted into an injection sink.
83
83
148
26
83
26
TrustedScriptURL

The TrustedScriptURL interface of the Trusted Types API represents a string that a developer can insert into an injection sink that will parse it as a URL of an external script. These objects are created via TrustedTypePolicy.createScriptURL and therefore have no constructor.
83
83
148
26
83
26
toJSON

The toJSON() method of the TrustedScriptURL interface returns a JSON representation of the stored data.
90
90
148
26
90
26
toString

The toString() method of the TrustedScriptURL interface returns a string which may safely inserted into an injection sink.
83
83
148
26
83
26
TrustedTypePolicy

The TrustedTypePolicy interface of the Trusted Types API defines a group of functions which create TrustedType objects.
83
83
148
26
83
26
createHTML

The createHTML() method of the TrustedTypePolicy interface creates a TrustedHTML object using a policy created by TrustedTypePolicyFactory.createPolicy().
83
83
148
26
83
26
createScript

The createScript() method of the TrustedTypePolicy interface creates a TrustedScript object using a policy created by TrustedTypePolicyFactory.createPolicy().
83
83
148
26
83
26
createScriptURL

The createScriptURL() method of the TrustedTypePolicy interface creates a TrustedScriptURL object using a policy created by TrustedTypePolicyFactory.createPolicy().
83
83
148
26
83
26
name

The name read-only property of the TrustedTypePolicy interface returns the name of the policy.
83
83
148
26
83
26
TrustedTypePolicyFactory

The TrustedTypePolicyFactory interface of the Trusted Types API creates policies and allows the verification of Trusted Type objects against created policies.
83
83
148
26
83
26
createPolicy

The createPolicy() method of the TrustedTypePolicyFactory interface creates a TrustedTypePolicy object that implements the rules passed as policyOptions.
83
83
148
26
83
26
defaultPolicy

The defaultPolicy read-only property of the TrustedTypePolicyFactory interface returns the default TrustedTypePolicy or null if this is empty.
83
83
148
26
83
26
emptyHTML

The emptyHTML read-only property of the TrustedTypePolicyFactory interface returns a TrustedHTML object containing an empty string.
83
83
148
26
83
26
emptyScript

The emptyScript read-only property of the TrustedTypePolicyFactory interface returns a TrustedScript object containing an empty string.
83
83
148
26
83
26
getAttributeType

The getAttributeType() method of the TrustedTypePolicyFactory interface allows web developers to check if a Trusted Type is required for an element, and if so which Trusted Type is used.
83
83
148
26
83
26
getPropertyType

The getPropertyType() method of the TrustedTypePolicyFactory interface allows web developers to check if a Trusted Type is required for an element's property.
83
83
148
26
83
26
isHTML

The isHTML() method of the TrustedTypePolicyFactory interface returns true if it is passed a valid TrustedHTML object.
83
83
148
26
83
26
isScript

The isScript() method of the TrustedTypePolicyFactory interface returns true if it is passed a valid TrustedScript object.
83
83
148
26
83
26
isScriptURL

The isScriptURL() method of the TrustedTypePolicyFactory interface returns true if it is passed a valid TrustedScriptURL object.
83
83
148
26
83
26
Other
http.headers.Content-Security-Policy.require-trusted-types-for

The HTTP Content-Security-Policy (CSP) require-trusted-types-for directive instructs user agents to control the data passed to DOM XSS sink functions, like Element.innerHTML setter.
83
83
148
26
83
26
http.headers.Content-Security-Policy.trusted-types

The HTTP Content-Security-Policy (CSP) trusted-types directive is used to specify an allowlist of Trusted Type policy names that a website can create using trustedTypes.createPolicy().
83
83
148
26
83
26
1+Supported (version) Not supported Has note Sub-feature descriptions sourced from MDN Web Docs (CC BY-SA 2.5)

Syntax

JAVASCRIPT 
<meta http-equiv="Content-Security-Policy"
  content="require-trusted-types-for 'script'">
<script>
const policy = trustedTypes.createPolicy('default', {
  createHTML: (input) => DOMPurify.sanitize(input)
});
el.innerHTML = policy.createHTML(userInput);
</script>

Use cases

  • Strengthen integration

    Use Trusted types when browser APIs need clearer security boundaries or more explicit capabilities.

  • Connect platform features

    Apply Trusted types when your app benefits from deeper browser or device integration.

Cautions

  • Test Trusted types in your target browsers and input environments before depending on it as a primary behavior.
  • Provide a fallback path or acceptable degradation strategy when support is still limited.

Accessibility

  • Make sure Trusted types supports the intended task without making the page harder to perceive, understand, or operate.

Related links