Background

Trusted Types is a relatively new web application security feature that protects against DOM XSS. Trusted Types enforcement is currently supported in Chrome 83 and Android Webview. Even where Trusted Types are not enforced by the browser they can still be used to reduce the DOM XSS attack surface.

DOM XSS
Cross site scripting (XSS) is one of the most prevalent web security vulnerabilities. DOM XSS occurs on the client side when Javascript calls dangerous functions with user supplied input. Examples of dangerous sink functions include innerHTML, outerHTML, eval, and setTimer. Nonce-based CSP already helps prevent server-side XSS. Trusted types help prevent DOM-based or client-side XSS caused by these sink functions.

How It Works
Trusted Types are enabled using CSP directives. When enabled this way, the browser will require user supplied data to be processed before being sent to a sink function. Sink functions can only be called with special trusted types objects that tell the browser the data has been sanitized and should be trusted. There are three types of trusted objects; TrustedHTML, TrustedScript, and TrustedScriptURL which are used and created depending on what object type a sink expects.

Trusted objects are created by calling policies. Policies are functions that sanitize input, enforce security rules, and return a trusted type object. Trusted objects can also be created by some libraries like DOMPurify.

If enabled with CSP’s report only mode, browsers will report Trusted Types violations but not block them.

For more information on Trusted Types visit here and here.

Proposed Changes to Django-CSP

Add require-trusted-types-for Directive
To enable Trusted Types with CSP two new directives are required. The require-trusted-types-for directive should be configurable using Django-CSP. This directive enables Trusted Types by specifying for which groups of injection sinks trusted types should be expected. Only one value currently exists for this directive, ‘script’, which requires Trusted Types for DOM XSS injection sinks.

Add trusted-types Directive
The trusted-types directive should be configurable using Django-CSP. This directive can be used to control the creation of Trusted Types policies. Only policies with names present in this directive can be created. It also allows for the creation/declaration of a default policy. When this directive is not present, policies cannot be created; so if trusted types are expected, injection sinks can not be used at all.

Additional Documentation
These two new CSP directives should be added to the Configuring Django-CSP documentation. A new page should be added to the documentation providing more information on Trusted Types and steps for how to build a compliant web application.