CentralCSP
Register

Main menu

All articles

Next Article

The Reporting-Endpoints HTTP Header

The trusted-types-eval Keyword in CSP

Saturday, February 21, 2026
4 min read
Theotime QuereCentralCSP Team
The 'trusted-types-eval' keyword in CSP lets you use eval(), setTimeout(code), and Function() only when Trusted Types are on and you pass Trusted Type objects (not raw strings) into those functions. Use it only when you really need it; otherwise avoid it.

What CSP blocks by default

If your CSP has default-src or script-src, the browser blocks code that runs strings as JavaScript, including:
  • eval()
  • The string you pass to setTimeout() as code
  • new Function()
So by default, these are disabled.

What trusted-types-eval does

  • 'unsafe-eval' : Turns them back on for any string. High risk.
  • 'trusted-types-eval' : Turns them back on only when:
    1. Trusted Types are enforced (require-trusted-types-for), and
    2. You pass a Trusted Type (from a policy) into the function, not a plain string.
So the string has to go through your policy first. That gives you a place to sanitize it, but the policy can still be wrong, Trusted Types don't make the code safe by themselves. Use 'trusted-types-eval', not 'unsafe-eval', when you need eval with Trusted Types. Then browsers that don't support Trusted Types still block these methods instead of allowing unrestricted eval.

Example CSP using trusted-types-eval with a Trusted Types policy

Content-Security-Policy: script-src 'self' 'trusted-types-eval'; trusted-types myPolicy; require-trusted-types-for 'script';

Why avoid it

  • Risk : Running code from strings is dangerous. A policy helps but one mistake can still allow injection.
  • Better : Prefer removing eval-style code (use JSON.parse, normal code, etc.). Safer than any eval keyword.
  • Support : Trusted Types are experimental; not all browsers support them.
Use 'trusted-types-eval' only as a temporary step while you plan to remove eval.

What to do instead

  1. Remove eval : Replace with JSON.parse, static code, or other non-dynamic options when you can.
  2. Allow specific scripts : Use nonces or hashes in script-src to allow known scripts, not eval.
  3. If you must allow eval for now : Use 'trusted-types-eval' (not 'unsafe-eval') with a strict policy and plan to remove it later.

See also

Continue Reading

report-sha256, report-sha384, report-sha512 in CSP

How report-shaXXX keywords in CSP script directives work and how CentralCSP processes these reports with CVE detection and alerting.

2026-02-21
5 min read
CentralCSP TeamCentralCSP Team
Read more

The Reporting-Endpoints Header

What the Reporting-Endpoints header does and how it benefits website maintenance, security, and compliance with CentralCSP.

2026-02-15
4 min read
CentralCSP TeamCentralCSP Team
Read more

Main menu

All articles

CentralCSP Team

Written by

CentralCSP Team

    The trusted-types-eval Keyword in CSP | CentralCSP