Philippe De Ryck

Securing Frontend Applications with Trusted Types

Fully eradicate DOM-based cross-site scripting in your application. Trusted Types provides a browser-level defense that makes the secure path the only available path.

Securing Frontend Applications with Trusted Types
#1about 4 minutes

Understanding the real-world danger of cross-site scripting

Cross-site scripting (XSS) allows attackers to execute malicious code in a user's browser, with severe consequences like data theft.

#2about 4 minutes

How modern frameworks fail to prevent all XSS attacks

While frameworks like Angular and React encode data by default, properties like `dangerouslySetInnerHTML` create bypasses that reintroduce XSS risks.

#3about 6 minutes

Using sanitization to safely render dynamic HTML

Sanitizing user-provided HTML with libraries like DOMPurify is crucial for preventing XSS, especially when bypassing framework defaults.

#4about 7 minutes

How Trusted Types change browser behavior to block XSS

Enabling Trusted Types via a Content Security Policy header forces dangerous DOM sinks like `innerHTML` to reject strings and only accept safe, typed objects.

#5about 5 minutes

Using Trusted Types in development to secure all browsers

Even with limited browser support, using Trusted Types during development helps developers find and fix XSS vulnerabilities that benefit users on all platforms.

#6about 6 minutes

Securing third-party libraries with a default policy

A default Trusted Types policy can automatically sanitize insecure DOM assignments from third-party dependencies, securing your entire application.

#7about 13 minutes

Q&A on framework comparisons and advanced concepts

The speaker answers audience questions about Vue.js, server-side validation, policy injection risks, browser polyfills, and the future of native sanitization APIs.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Selecting strategic partners and essential event tools
03:17 MIN

Selecting strategic partners and essential event tools

Cat Herding with Lions and Tigers - Christian Heilmann

Organizing a developer conference for 15,000 attendees
01:32 MIN

Organizing a developer conference for 15,000 attendees

Cat Herding with Lions and Tigers - Christian Heilmann

Using content channels to build an event community
04:49 MIN

Using content channels to build an event community

Cat Herding with Lions and Tigers - Christian Heilmann

Establishing a single source of truth for all data
02:39 MIN

Establishing a single source of truth for all data

Cat Herding with Lions and Tigers - Christian Heilmann

Increasing the value of talk recordings post-event
04:57 MIN

Increasing the value of talk recordings post-event

Cat Herding with Lions and Tigers - Christian Heilmann

The industry's focus on frameworks over web fundamentals
11:32 MIN

The industry's focus on frameworks over web fundamentals

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

The only frontend stack that truly matters
11:10 MIN

The only frontend stack that truly matters

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

Balancing the trade-off between efficiency and resilience
03:38 MIN

Balancing the trade-off between efficiency and resilience

What 2025 Taught Us: A Year-End Special with Hung Lee

Featured Partners

Related Videos

See all videos
Cross Site Scripting is yesterday's news, isn't it?30:54

Cross Site Scripting is yesterday's news, isn't it?

Martina Kraus

A Primer in Single Page Application Security (Angular, React, Vue.js)36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more1:06:20

WeAreDevelopers LIVE – Frontend Inspirations, Web Standards and more

Chris Heilmann, Daniel Cranney & Jan Deppisch

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
CH
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
BR
Benjamin Ruschin
The HTML Elements That You’re Probably Over-Engineering
As frameworks have become more and more commonplace in the world of web development, so too has the over-engineering of features made possible by our humble old friend, HTML. The mental models that come with using state management in React, Vue and o...
The HTML Elements That You’re Probably Over-Engineering

From learning to earning

Jobs that call for the skills explored in this talk.