Year round learning for product, design and engineering professionals

Web Directions Safe ’21 session spotlight–Eliminating XSS by adopting Trusted Types

Eliminating XSS by adopting Trusted Types

Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs.

Trusted Types is a novel web browser API designed to eliminate DOM-based XSS. It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google’s Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google’s static code analysis pipeline missed.

In this talk Bjarki Ágúst Guðmundsson shows how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.

Bjarki Ágúst Guðmundsson

Photo of Bjarki Agúst Gudmundsson with text below reading "Bjarki Ágúst Gudmundsson Security Engineer Google Eliminating XSS by adopting Trusted Types" Text to the right reads "Web Directions safe 2021 Global, Online Dec. 3 & 10 2021 security, privacy, identity for front end developers"

Bjarki has a strong technical background in computer science, having started at an early age developing websites. He holds an M.Sc. in Computer Science and a B.Sc. in Discrete Mathematics from Reykjavík University, with a short academic career resulting in several peer-reviewed publications and talks on international conferences, both in the field of Computer Science and Mathematics. Bjarki previously worked as an information security consultant, performing everything from application assessments to real-world attack simulations. At Google, Bjarki carries out security hardening of application frameworks, develops inherently secure APIs, and compiler guards that guide developers to these APIs.

In 2022 we have a whole series of events for Front End Developers

Across 2022 Web Directions is presenting our series of online conferences for front end designers and developers. Focussed deep dives, they go far beyond what you might expect from conference programs.

Learn more and register now

banners for all of our 2022 events

Priced individually from $195, or attend all 6, plus get access to our conference presentation platform Conffab for just $595, or $59 a month.

delivering year round learning for front end and full stack professionals

Learn more about us

Going to #wds18 has given me inspiration to attend more conferences. Meeting tech folks like myself and learning from each other is pretty amazing!

Hinesh Patel Ruby and React Developer