content(security): add a Trusted Types page#51
Merged
Conversation
Trusted Types reached Baseline in February 2026 (Firefox completing the set; Chrome/Edge since 2020, Safari 26). It blocks DOM-based XSS at the sink by demanding non-spoofable typed values, switched on via the require-trusted-types-for and trusted-types CSP directives. New security page (status: recommended), changelog entry, and relatedSlugs wired on CSP, SRI, and reporting-endpoints. OG images regenerated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deploying specification-website with
|
| Latest commit: |
4e2da66
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e18a7c0c.specification-website.pages.dev |
| Branch Preview URL: | https://standards-scan-trusted-types.specification-website.pages.dev |
Rework "Why it matters" around a worked DOM-XSS example: a search
widget that writes location.search into innerHTML, the img-onerror
cookie-exfiltration payload that abuses it, and the TypeError Trusted
Types throws in its place. Add the three trusted types mapped to their
sink families so the breadth beyond innerHTML is explicit. Use a single
consistent policy name ("escape") across every snippet so they all
validate under the page's own CSP, and explain the special auto-applied
"default" name in How to implement.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
New spec page: Trusted Types under
security.src/content/spec/security/trusted-types.md—status: recommended,order: 95.added):src/content/changelog/2026-06-23-trusted-types.md.relatedSlugswired oncontent-security-policy,subresource-integrity, andreporting-endpoints.Why now
Trusted Types reached Baseline "newly available" in February 2026 — Chrome/Edge since v83 (2020), Safari 26 (Sep 2025), Firefox completing the set in Feb 2026. A feature newly reaching Baseline is the scan's strongest signal to add a page. It also closes a gap the spec already half-acknowledges: the CSP page recommends
require-trusted-types-for 'script'but never explains what Trusted Types are.Primary sources
Status justification
recommended, notrequired: the platform works without it — it is defence-in-depth against DOM-based XSS, not a contract the web breaks without. Now that it is Baseline and enforced purely via response headers + a DOM policy API, it is platform-agnostic and shippable, which is why it earns a page rather than a Slack "needs implementation" flag.Verification
npm run buildpasses (148 pages indexed; HTML +.mdendpoint both emit).npm run lint/npm run format:checkclean (one pre-existinganywarning, unrelated).Draft — not for auto-merge. MCP Worker redeploy is the human post-merge step.
🤖 Generated with Claude Code