Philippe De Ryck

Securing Frontend Applications with Trusted Types

Fully eradicate DOM-based cross-site scripting in your application. Trusted Types provides a browser-level defense that makes the secure path the only available path.

Securing Frontend Applications with Trusted Types
#1about 4 minutes

Understanding the real-world danger of cross-site scripting

Cross-site scripting (XSS) allows attackers to execute malicious code in a user's browser, with severe consequences like data theft.

#2about 4 minutes

How modern frameworks fail to prevent all XSS attacks

While frameworks like Angular and React encode data by default, properties like `dangerouslySetInnerHTML` create bypasses that reintroduce XSS risks.

#3about 6 minutes

Using sanitization to safely render dynamic HTML

Sanitizing user-provided HTML with libraries like DOMPurify is crucial for preventing XSS, especially when bypassing framework defaults.

#4about 7 minutes

How Trusted Types change browser behavior to block XSS

Enabling Trusted Types via a Content Security Policy header forces dangerous DOM sinks like `innerHTML` to reject strings and only accept safe, typed objects.

#5about 5 minutes

Using Trusted Types in development to secure all browsers

Even with limited browser support, using Trusted Types during development helps developers find and fix XSS vulnerabilities that benefit users on all platforms.

#6about 6 minutes

Securing third-party libraries with a default policy

A default Trusted Types policy can automatically sanitize insecure DOM assignments from third-party dependencies, securing your entire application.

#7about 13 minutes

Q&A on framework comparisons and advanced concepts

The speaker answers audience questions about Vue.js, server-side validation, policy injection risks, browser polyfills, and the future of native sanitization APIs.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

The future of XSS prevention with Trusted Types
24:43 MIN

The future of XSS prevention with Trusted Types

A Primer in Single Page Application Security (Angular, React, Vue.js)

Introducing trusted types to secure dangerous dom sinks
23:33 MIN

Introducing trusted types to secure dangerous dom sinks

Cross Site Scripting is yesterday's news, isn't it?

The primary security threat of cross-site scripting
04:25 MIN

The primary security threat of cross-site scripting

A Primer in Single Page Application Security (Angular, React, Vue.js)

Eliminating XSS with a dedicated HTML type
36:02 MIN

Eliminating XSS with a dedicated HTML type

Typed Security: Preventing Vulnerabilities By Design

A practical checklist for preventing XSS in SPAs
26:58 MIN

A practical checklist for preventing XSS in SPAs

A Primer in Single Page Application Security (Angular, React, Vue.js)

Implementing trusted types with the dompurify library
26:34 MIN

Implementing trusted types with the dompurify library

Cross Site Scripting is yesterday's news, isn't it?

Essential web security best practices beyond SPAs
33:09 MIN

Essential web security best practices beyond SPAs

A Primer in Single Page Application Security (Angular, React, Vue.js)

Browser support and final recommendations for trusted types
30:00 MIN

Browser support and final recommendations for trusted types

Cross Site Scripting is yesterday's news, isn't it?

Featured Partners

Related Videos

See all videos
Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

A Primer in Single Page Application Security (Angular, React, Vue.js)36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Snappy UI needs no Single-Page Application40:24

Snappy UI needs no Single-Page Application

Clemens Helm

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
BR
Benjamin Ruschin
The HTML Elements That You’re Probably Over-Engineering
As frameworks have become more and more commonplace in the world of web development, so too has the over-engineering of features made possible by our humble old friend, HTML. The mental models that come with using state management in React, Vue and o...
The HTML Elements That You’re Probably Over-Engineering
DC
Daniel Cranney
Dev Digest 152: Chrome Extensions Hack, CSS Spy Sheets, Deepseek OSS AI
Inside last week’s Dev Digest 152 . 🐋 DeepSeek - a new rising star open source model 🖐 Using CSS to fingerprint browsers and email clients 🧠 Things you should know about accessibility 🤷‍♂️ What do you when you messed up in Git 📍 Cloudflare security ...
Dev Digest 152: Chrome Extensions Hack, CSS Spy Sheets, Deepseek OSS AI
DC
Daniel Cranney
Dev Digest 165: "Slopsquatting", Chrome extension tracking and CSS hell
Inside last week’s Dev Digest 165 . 🤖 Microsoft creates light-weight LLM to run on CPUs 💻 The state of Webdev AI 🙅‍♂️ Why you should lie to LLMs and not thank them 🥷 Chrome extensions have hidden tracking code 🔨 How to build and AI Agent 🔒 Slopsquat...
Dev Digest 165: "Slopsquatting", Chrome extension tracking and CSS hell

From learning to earning

Jobs that call for the skills explored in this talk.