The TrustedTypePolicyFactory interface of the Trusted Types API creates policies and allows the verification of Trusted Type objects against created policies.
TrustedTypePolicyFactory
Properties
-
TrustedTypePolicyFactory.emptyHTMLRead only -
Returns a
TrustedHTMLobject containing an empty string. -
TrustedTypePolicyFactory.emptyScriptRead only -
Returns a
TrustedScriptobject containing an empty string. -
TrustedTypePolicyFactory.defaultPolicyRead only -
Returns the default
TrustedTypePolicyor null if this is empty.
Methods
-
TrustedTypePolicyFactory.createPolicy() -
Creates a
TrustedTypePolicyobject that implements the rules passed aspolicyOptions. -
TrustedTypePolicyFactory.isHTML() -
When passed a value checks that it is a valid
TrustedHTMLobject. -
TrustedTypePolicyFactory.isScript() -
When passed a value checks that it is a valid
TrustedScriptobject. -
TrustedTypePolicyFactory.isScriptURL() -
When passed a value checks that it is a valid
TrustedScriptURLobject. -
TrustedTypePolicyFactory.getAttributeType() -
Allows web developers to check whether a Trusted Type is required for an element and attribute, and if so which one.
-
TrustedTypePolicyFactory.getPropertyType() -
Allows web developers to check whether a Trusted Type is required for a property, and if so which one.
Examples
The below code creates a policy with the name "myEscapePolicy" with a function defined for createHTML() which sanitizes HTML.
We then use the policy to sanitize a string, creating a TrustedHTML object, escaped. This object can be tested with isHTML() to ensure that it was created by one of our policies.
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", { createHTML: (string) => string.replace(/\>/g, "<") }); const escaped = escapeHTMLPolicy.createHTML("<img src=x onerror=alert(1)>"); console.log(trustedTypes.isHTML(escaped)) // true;
Specifications
| Specification |
|---|
| Trusted Types # trusted-type-policy-factory |
Browser compatibility
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | |
TrustedTypePolicyFactory |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
createPolicy |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
defaultPolicy |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
emptyHTML |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
emptyScript |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
getAttributeType |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
getPropertyType |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
isHTML |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
isScript |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
isScriptURL |
83
|
83
|
No
|
No
|
69
|
No
|
83
|
83
|
No
|
59
|
No
|
13.0
|
© 2005–2021 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/TrustedTypePolicyFactory
