CentralCSP
Register

Main menu

All articles

Next Article

The Reporting-Endpoints HTTP Header

The trusted-types-eval Keyword in CSP

Saturday, February 21, 2026
4 min read
Theotime QuereCentralCSP Team
The 'trusted-types-eval' keyword in CSP lets you use eval(), setTimeout(code), and Function() only when Trusted Types are on and you pass Trusted Type objects (not raw strings) into those functions. Use it only when you really need it; otherwise avoid it.

What CSP blocks by default

If your CSP has default-src or script-src, the browser blocks code that runs strings as JavaScript, including:
  • eval()
  • The string you pass to setTimeout() as code
  • new Function()
So by default, these are disabled.

What trusted-types-eval does

  • 'unsafe-eval' : Turns them back on for any string. High risk.
  • 'trusted-types-eval' : Turns them back on only when:
    1. Trusted Types are enforced (require-trusted-types-for), and
    2. You pass a Trusted Type (from a policy) into the function, not a plain string.
So the string has to go through your policy first. That gives you a place to sanitize it, but the policy can still be wrong, Trusted Types don't make the code safe by themselves. Use 'trusted-types-eval', not 'unsafe-eval', when you need eval with Trusted Types. Then browsers that don't support Trusted Types still block these methods instead of allowing unrestricted eval.

Example CSP using trusted-types-eval with a Trusted Types policy

Content-Security-Policy: script-src 'self' 'trusted-types-eval'; trusted-types myPolicy; require-trusted-types-for 'script';

Why avoid it

  • Risk : Running code from strings is dangerous. A policy helps but one mistake can still allow injection.
  • Better : Prefer removing eval-style code (use JSON.parse, normal code, etc.). Safer than any eval keyword.
  • Support : Trusted Types are experimental; not all browsers support them.
Use 'trusted-types-eval' only as a temporary step while you plan to remove eval.

What to do instead

  1. Remove eval : Replace with JSON.parse, static code, or other non-dynamic options when you can.
  2. Allow specific scripts : Use nonces or hashes in script-src to allow known scripts, not eval.
  3. If you must allow eval for now : Use 'trusted-types-eval' (not 'unsafe-eval') with a strict policy and plan to remove it later.

See also

Continue Reading

JSONP and Content Security Policy

Learn what is the JsonP endpoint and what is the impact of using it with CSP. See how to avoid using JSONP endpoint and how it can be used to bypass CSP.

2025-06-08
10 min read
Theotime QuereTheotime Quere
Read more

CentralCSP Chrome Extension

Learn how to use the CentralCSP Chrome Extension to test your Content Security Policy on the fly.

2025-09-16
5 min read
Theotime QuereTheotime Quere
Read more

Main menu

All articles

CentralCSP Team

Written by

CentralCSP Team

    The trusted-types-eval Keyword in CSP