Security News > 2023 > December > Mozilla decides Trusted Types is a worthy security feature

Mozilla last week revised its position on a web security technology called Trusted Types, which it has decided to implement in its Firefox browser.

Trusted Types addresses the risk of unsafe input by limiting the attack surface via Content Security Policy and a content filtering mechanism.

In a 2021 report [PDF] on Trusted Types, Krzysztof Kotowicz, an information security engineer at Google, wrote, "To date, we have observed zero DOM-XSS in Google applications migrated to Trusted Types."

Bartosz Niemczura, software engineer at Meta, echoed Google's enthusiasm in the Mozilla standards discussion thread, stating, "??At Meta, we see Trusted Types as a useful security mechanism as well.

"I've implemented Trusted Types on a web app, and I felt they were really helpful in identifying lots of 'injection sites' where a cross-site scripting attack could happen, and requiring me to provide a filter or some other way of securing user input that got there," he wrote in an email to The Register.

"The addition of Trusted Types helps to close security holes that were created by that early work. But a competent programmer is required to take advantage of this - cross-site scripting will still be possible if a website doesn't use Trusted Types." .

News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/21/mozilla_decides_trusted_types_is/