Extending Trusted Types to Gmail

What’s changing

Last year, we improved the client-side security of Google Docs, Sheets, Slides, Forms, Sites, Drawings, Drive, and Calendar with Trusted Types. This browser-based runtime feature limits the uses of Document Object Model (DOM) APIs that are used by the apps listed above or third-party extensions. Trusted Types also reduce the possibility of Document Object Model Cross Site Scripting (DOM XSS), which continues to be one of the most critical threats to web security.
DOM XSS occurs when a cyber attacker injects malicious code into a web page, which can then be executed by the victim’s browser. This can allow the cyber attacker to steal cookies, hijack sessions, and even take control of the victim’s computer.
To defend against this, we’re excited to announce the expansion of Trusted Types to Gmail. This will provide a defense against DOM XSS and further enhances our advanced data protection controls to keep users and data safe across more of the apps they use everyday.

Who’s impacted

Developers (relying on any Chrome extensions that modify DOM APIs.)

Additional details

This new enforcement mode will require third-party extensions to use typed objects instead of strings when assigning values to DOM APIs. Once Trusted Types are fully enforced, the Trusted Types directive will be present in the Content Security Policy (CSP) header:
Content-Security-Policy: require-trusted-types-for ‘script’;report-uri https://mail.google.com/mail/cspreport 

Getting started

Admins: There is no admin control for this feature. Developers: To make code Trusted Types compliant, signal to the browser that data being used within the context of these DOM APIs is trustworthy by creating a Trusted Type special object. There are several ways to be Trusted Types compliant, such as removing the offending code, using a library (such as safevalues or DOMPurify), or creating a Trusted Types policy. To ensure a seamless experience for users, we recommend employing these techniques before Trusted Types enforcement is rolled out. Failure to make code Trusted Types compliant may cause feature breakages for third-party extensions as their DOM manipulations will be blocked by the browser. End users: There is no end user setting for this feature.

Rollout pace

Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on February 12, 2024 Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on March 11, 2024

Availability

Available to all Google Workspace customers and users with personal Google Accounts

Resources