Trusted Types (optional)

MVG does not require Trusted Types by default. However, our verifier surfaces are built to be compatible with strict deployments — notably, we avoid HTML injection sinks (e.g., innerHTML).

What this gives auditors

If your security baseline prefers Trusted Types, you can enable it as an opt‑in hardening layer. This is designed to reduce “DOM XSS” questions without changing verification semantics.

Recommended approach

Start in Report‑Only to validate compatibility in your environment. When ready, switch to enforcement.

Content-Security-Policy-Report-Only:
  ...;
  require-trusted-types-for 'script';
  trusted-types mvg default;

Note: the above is a policy template. Keep your existing CSP directives unchanged; only add the Trusted Types clauses.

Scope

This is relevant for UI surfaces that render verifier results: /verify/, /verify-assurance/, /verify-diligence/, /verify-airgap-kit/.

Our goal is simple: no HTML injection sinks, deterministic rendering, and a fail‑closed posture.

Operational notes

Not enabled by default: enforcing Trusted Types is a deployment choice.
No telemetry required: we do not require external reporting endpoints.
Offline‑first remains intact: verification UIs continue to forbid network calls where applicable.

Back to security packet Back to site release