Trusted Types API: Google has created a new API that will help Chrome fight certain types of attacks cross-site scripting (XSS), adding another level of protection at browser level.
This new mode is called Trusted Types and is a browser API Chrome which Google has been working on in recent months.
The company's developers plan to test the Trusted Types API throughout 2019, between Chrome 73 and Chrome 76, before enabling it as a permanent security feature for all Chrome users later in the year.
This new feature better safetywas developed to protect users from one of three types of cross-site scripting flaws, DOM-based (or type-0) XSS.
A detailed analysis of the three XSS types available here, for readers who want to learn more about XSS.
DOM-based XSS is basically a vulnerability found in a site's source code. Hackers exploit so-called injection points to enter code into the browser's DOM (page source code) to perform unwanted malicious actions, such as stealing cookies, handling page content, redirecting users, etc.
The Trusted Types API will prevent such attacks by allowing page owners to lock known "injection points" into a site's code, which is often the root cause of DOM-based XSS.
Webmasters will be able to enable Chrome's upcoming Trusted Types protection by giving a specific price in the Content Security Policy (CSP) HTTP response header.
Once activated, the access at DOM injection points will be limited by Chrome's built-in Trusted Types API, preventing any attacks before XSS code leverages the DOM page's source code to attack users.
A tutorial on how website owners can enable the Trusted Types API through the Content Security Policy (CSP) HTTP response header and how users can configure Chrome to use early versions of the API is available at Google Developers blog.