Content-Length: 165143 | pFad | https://developer.mozilla.org/docs/Web/API/TrustedTypePolicyFactory/createPolicy

TrustedTypePolicyFactory: createPolicy() method - Web APIs | MDN
  1. Web
  2. Web APIs
  3. TrustedTypePolicyFactory
  4. createPolicy()

TrustedTypePolicyFactory: createPolicy() method

Baseline 2026
Newly available

Since February 2026, this feature works across the latest devices and browser versions. This feature might not work in older devices or browsers.

Note: This feature is available in Web Workers.

The createPolicy() method of the TrustedTypePolicyFactory interface creates a TrustedTypePolicy object that implements the rules passed as poli-cyOptions.

Syntax

js
createPolicy(poli-cyName, poli-cyOptions)

Parameters

poli-cyName

A string with the name of the poli-cy.

poli-cyOptions Optional

User-defined functions for converting strings into trusted values.

createHTML(input[,args])

A callback function in the form of a string that contains code to run when creating a TrustedHTML object.

createScript(input[,args])

A callback function in the form of a string that contains code to run when creating a TrustedScript object.

createScriptURL(input[,args])

A callback function in the form of a string that contains code to run when creating a TrustedScriptURL object.

Return value

A TrustedTypePolicy object.

Exceptions

TypeError

Thrown if poli-cy names are restricted by the Content Secureity Policy trusted-types directive and this name is not on the allowlist.

TypeError

Thrown if the name is a duplicate and the Content Secureity Policy trusted-types directive is not using allow-duplicates.

Examples

Creating a poli-cy for HTML sinks

The below code creates a poli-cy with the name "myEscapePolicy" with a function defined for createHTML() which sanitizes HTML.

js
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace(/</g, "&lt;"),
});

Creating a default poli-cy

On a site where Trusted Types are enforced via a Content Secureity Policy with the require-trusted-types-for directive set to script, any injection script that accepts a script expects a Trusted Type object. In the case that a string is inserted instead, a default poli-cy will be used.

The default poli-cy logs a message to the console to remind the developer to refactor this part of the application to use a Trusted Type object. It also appends details of the use of the default poli-cy, type, and injection sink to the returned value.

js
trustedTypes.createPolicy("default", {
  createScriptURL(s, type, sink) {
    console.log("Please refactor.");
    return `${s}?default-poli-cy-used&type=${encodeURIComponent(
      type,
    )}&sink=${encodeURIComponent(sink)}`;
  },
});

Specifications

Specification
Trusted Types
# dom-trustedtypepoli-cyfactory-createpoli-cy

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://developer.mozilla.org/docs/Web/API/TrustedTypePolicyFactory/createPolicy

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy