Securing Frontend Applications with Trusted Types

Fully eradicate DOM-based cross-site scripting in your application. Trusted Types provides a browser-level defense that makes the secure path the only available path.

#1about 4 minutes

Understanding the real-world danger of cross-site scripting

Cross-site scripting (XSS) allows attackers to execute malicious code in a user's browser, with severe consequences like data theft.

#2about 4 minutes

How modern frameworks fail to prevent all XSS attacks

While frameworks like Angular and React encode data by default, properties like `dangerouslySetInnerHTML` create bypasses that reintroduce XSS risks.

#3about 6 minutes

Using sanitization to safely render dynamic HTML

Sanitizing user-provided HTML with libraries like DOMPurify is crucial for preventing XSS, especially when bypassing framework defaults.

#4about 7 minutes

How Trusted Types change browser behavior to block XSS

Enabling Trusted Types via a Content Security Policy header forces dangerous DOM sinks like `innerHTML` to reject strings and only accept safe, typed objects.

#5about 5 minutes

Using Trusted Types in development to secure all browsers

Even with limited browser support, using Trusted Types during development helps developers find and fix XSS vulnerabilities that benefit users on all platforms.

#6about 6 minutes

Securing third-party libraries with a default policy

A default Trusted Types policy can automatically sanitize insecure DOM assignments from third-party dependencies, securing your entire application.

#7about 13 minutes

Q&A on framework comparisons and advanced concepts

The speaker answers audience questions about Vue.js, server-side validation, policy injection risks, browser polyfills, and the future of native sanitization APIs.