Trusted Types强制与DOM Sink治理（createPolicy/严格模式）最佳实践

背景与价值Trusted Types将危险DOM写入收敛为受控类型与策略。结合CSP强制，可阻断大多数XSS注入路径。统一规范CSP强制：开启 `require-trusted-types-for 'script'` 与 `trusted-types` 白名单。Policy最小化：统一注册少量策略并限制转换范围。Sink封装：对 `innerHTML`、`insertAdjacentHTML` 等封装受控写入。核心实现CSP头与Policy注册type Res = { setHeader: (k: string, v: string) => void } function setCsp(res: Res) { res.setHeader('Content-Security-Policy', "require-trusted-types-for 'script'; trusted-types app-policy") } function registerPolicy() { const tt = (window as any).trustedTypes if (!tt?.createPolicy) return null return tt.createPolicy('app-policy', { createHTML: (s: string) => s, createScriptURL: (u: string) => u }) } 受控Sink封装function setHTML(el: Element, html: string, policy: any) { if (!policy) return const safe = policy.createHTML(html) ;(el as any).innerHTML = safe } function setScriptUrl(el: HTMLScriptElement, url: string, policy: any) { if (!policy) return const safe = policy.createScriptURL(url) el.src = safe as any } 落地建议在响应头启用Trusted Types严格模式并注册统一Policy，限制转换能力。对核心Sink统一封装调用，避免直接字符串写入。验证清单是否启用 `require-trusted-types-for 'script'` 与白名单策略；DOM写入是否通过受控Policy。