Trusted Types are a web platform security feature that helps prevent certain DOM-based XSS attacks, by blocking risky injection points (like .innerHTML) from using unvalidated string values. If a risky injection point is blocked, a violation is raised.
The Content-Security-Policy (CSP) header utilizes the require-trusted-types-for directive to enforce Trusted Types.
How the Lighthouse audit fails
The audit will pass if the CSP header is set together with the require-trusted-types-for directive and script as its value. The audit will fail if the CSP header is not set or it is set but missing the Trusted Types directive.
Configure a CSP header and Trusted Types directive to mitigate DOM-based XSS
User agents use the require-trusted-types-for directive to control what data is passed to DOM XSS sink functions. The script value of this directive verifies that DOM XSS injection sink functions only accept types generated by Trusted Type policies, rather than allowing strings:
Content-Security-Policy: require-trusted-types-for 'script';