This article contains 4 images. You will find them at the very end of the article.

This article contains 635 words.

Web Directions Safe '21 session spotlight–Eliminating XSS by adopting Trusted Types - Web Directions

Web Directions Safe ’21 session spotlight–Eliminating XSS by adopting Trusted Types

John Allsopp

8th November, 2021

@johnallsopp

Eliminating XSS by adopting Trusted Types

Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs.

Trusted Types is a novel web browser API designed to eliminate DOM-based XSS. It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google’s Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google’s static code analysis pipeline missed.

In this talk Bjarki Ágúst Guðmundsson shows how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.

Bjarki Ágúst Guðmundsson

Bjarki has a strong technical background in computer science, having started at an early age developing websites. He holds an M.Sc. in Computer Science and a B.Sc. in Discrete Mathematics from Reykjavík University, with a short academic career resulting in several peer-reviewed publications and talks on international conferences, both in the field of Computer Science and Mathematics. Bjarki previously worked as an information security consultant, performing everything from application assessments to real-world attack simulations. At Google, Bjarki carries out security hardening of application frameworks, develops inherently secure APIs, and compiler guards that guide developers to these APIs.

In 2022 we have a whole series of events for Front End Developers, plus a Brand New free event in January 2022

Across 2022 Web Directions is presenting our series of online conferences for front end designers and developers. Focussed deep dives, they go far beyond what you might expect from conference programs.

Learn more and register now

Priced individually from $195, or attend all 6, plus get access to our conference presentation platform Conffab for just $595, or $59 a month.

In January 2022, we’ll be showcasing some of there highlights of our 2021 conferences across 3 big weeks, for Free at Remixed! Register now to attend.

Great reading, every weekend.

We round up the best writing about the web and send it your way each Friday morning.

delivering year round learning for front end and full stack professionals

Learn more about us

Thoroughly enjoyed Web Directions — met some great people, heard some inspiring presenters and added a whole bunch of things to my to-do list.

Joel Roberts Web Developer

Each year we have 6 unique online conferences for front end developers, plus Remixed, a free event that brings together some of the highlights from the previous year.

accessibility engineering for front end developers

Online, globallyOct/Nov 2021

Learn More

privacy, security, identity for front end developers

Online, globallyDecember 2021

Learn More

The conference CSS deserves

Online, globallyMarch 2022

Learn More

a conference on front end performance

Online, globallyMay 2022

Learn More

a conference all about JavaScript

Online, globallyJune 2022

Learn More

a conference on progressive web apps and web platform

Online, globallySept 2022

Learn More

The best of 2021, remixed, and free!

Online, globallyJanuary 2022

Learn More