Philippe De Ryck

Securing Frontend Applications with Trusted Types

Fully eradicate DOM-based cross-site scripting in your application. Trusted Types provides a browser-level defense that makes the secure path the only available path.

Securing Frontend Applications with Trusted Types
#1about 4 minutes

Understanding the real-world danger of cross-site scripting

Cross-site scripting (XSS) allows attackers to execute malicious code in a user's browser, with severe consequences like data theft.

#2about 4 minutes

How modern frameworks fail to prevent all XSS attacks

While frameworks like Angular and React encode data by default, properties like `dangerouslySetInnerHTML` create bypasses that reintroduce XSS risks.

#3about 6 minutes

Using sanitization to safely render dynamic HTML

Sanitizing user-provided HTML with libraries like DOMPurify is crucial for preventing XSS, especially when bypassing framework defaults.

#4about 7 minutes

How Trusted Types change browser behavior to block XSS

Enabling Trusted Types via a Content Security Policy header forces dangerous DOM sinks like `innerHTML` to reject strings and only accept safe, typed objects.

#5about 5 minutes

Using Trusted Types in development to secure all browsers

Even with limited browser support, using Trusted Types during development helps developers find and fix XSS vulnerabilities that benefit users on all platforms.

#6about 6 minutes

Securing third-party libraries with a default policy

A default Trusted Types policy can automatically sanitize insecure DOM assignments from third-party dependencies, securing your entire application.

#7about 13 minutes

Q&A on framework comparisons and advanced concepts

The speaker answers audience questions about Vue.js, server-side validation, policy injection risks, browser polyfills, and the future of native sanitization APIs.

Related jobs
Jobs that call for the skills explored in this talk.

Angular Developer

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate
Senior

Matching moments

The future of XSS prevention with Trusted Types
24:43 MIN

The future of XSS prevention with Trusted Types

A Primer in Single Page Application Security (Angular, React, Vue.js)

Introducing trusted types to secure dangerous dom sinks
23:33 MIN

Introducing trusted types to secure dangerous dom sinks

Cross Site Scripting is yesterday's news, isn't it?

The primary security threat of cross-site scripting
04:25 MIN

The primary security threat of cross-site scripting

A Primer in Single Page Application Security (Angular, React, Vue.js)

Eliminating XSS with a dedicated HTML type
36:02 MIN

Eliminating XSS with a dedicated HTML type

Typed Security: Preventing Vulnerabilities By Design

A practical checklist for preventing XSS in SPAs
26:58 MIN

A practical checklist for preventing XSS in SPAs

A Primer in Single Page Application Security (Angular, React, Vue.js)

Implementing trusted types with the dompurify library
26:34 MIN

Implementing trusted types with the dompurify library

Cross Site Scripting is yesterday's news, isn't it?

Essential web security best practices beyond SPAs
33:09 MIN

Essential web security best practices beyond SPAs

A Primer in Single Page Application Security (Angular, React, Vue.js)

Browser support and final recommendations for trusted types
30:00 MIN

Browser support and final recommendations for trusted types

Cross Site Scripting is yesterday's news, isn't it?

Featured Partners

Related Videos

See all videos
A Primer in Single Page Application Security (Angular, React, Vue.js)36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Cracking the Code: Decoding Anti-Bot Systems!57:47

Cracking the Code: Decoding Anti-Bot Systems!

Fabien Vauchelles

From learning to earning

Jobs that call for the skills explored in this talk.