Let's talk about XSS (yeah, still), and particularly the DOM-based XSS type. This one happens in your browser and in your browser only and luckily, browsers also offer something to put stop to it: Trusted Types. I'll explain how it works and what to expect when hunting for bugs, and why Trusted Types are a Good Thing™️, unlike previous browser-based defense like the XSS Auditor. We'll also talk about CSP reporting, mostly because you enable Trusted Types with a CSP header (yeah, I know). I've also built a demo application so you can have a lot of fun laughing at my CSS skills.

Michal is a software developer and an application security engineer who's on a mission to show developers and everyone else how & why to write secure code. He started building web sites and apps during the "First browser war" when "Best viewed in Netscape" logos were still a thing. Michal has worked for Skype, reporting aggregator report-uri.com, and some others and is currently doing security in Shoptet.