CSP present but missing 'require-trusted-types-for script' (Chrome/Edge-only, ~1-2% adoption)

Trusted Types is a browser security feature (supported in Chrome and Edge) that blocks a specific class of attack where malicious code is injected into a page through JavaScript DOM operations like innerHTML. Your Content Security Policy does not include this directive. Without Trusted Types, a cross-site scripting attack that injects code via JavaScript can still execute even when other CSP rules are in place. It is an advanced layer of protection with low adoption, so adding it puts you ahead of most sites. Add require-trusted-types-for 'script' to your Content Security Policy header. This may require a developer to audit and update any code that writes to innerHTML or uses eval — but it closes one of the last script-injection gaps CSP leaves open.