[NEW-FEATURE] Include trusted-types #261
Description
Is your feature request related to a problem? Please describe.
The OWASP Secure Headers Project page discusses the Content Security Policy (CSP) Header, but does not mention Trusted Types, which is enabled via require-trusted-types-for 'script' and trusted-types directives:
https://www.w3.org/TR/trusted-types/
Describe the solution you'd like
On the OWASP Secure Headers Project page, under the "Response Headers" tab, there is a "Content-Security-Policy" section, this should include:
require-trusted-types-for 'script'trusted-types 'none'
Personally I think it justifies its own section describing what it does, and how it works.
I would also note that while trusted-types 'none' is the ideal setup (this ensures all unsafe JavaScript APIs are disabled), website can create objects (the policies) with methods which are trusted to return values for unsafe JavaScript APIs (while these are risky, they make auditing code considerably easier).
For example; a JavaScript object can be created (and setup as a policy), where it defines a createHTML function (method) to accept an input string, passes it though DOMPurify (or maybe one day the HTML Sanitizer API), so that it can be trusted to use the dangerous JavaScript API innerHTML.
Describe alternatives you've considered
None
Additional context
Trusted Types have been supported in Chrome based browsers since May 2020 (version 83), Safari since September 2025 (version 26), and has been enabled in Firefox Nightly 145.
When implemented, Trusted Types provides an incredibly robust set of protections against DOM Based XSS, and forces developers to code with safe JavaScript APIs (with feedback as soon as they write and test their code).
I've got a basic overview at:
https://eiv.dev/trusted-types/
For some websites, it can be tricky to setup if the unsafe JavaScript APIs are used a lot (often due to 3rd party libraries). But, you can create a generic object that simply returns the input string, while this is unsafe in itself, it can be added to all existing code where it has used these unsafe APIs; this makes the code easy to audit, and correct over time (eventually this generic object would be removed when it's no longer needed).
