What's changing
We're improving the client-side security of YouTube with Trusted Types. This will provide an extra layer of protection around Document Object Model (DOM) APIs used by third-party extensions.
Trusted Types requires third-party browser extensions to use typed objects instead of strings when assigning values to DOM APIs. Starting on July 25, 2024, browser extensions that don't comply with Trusted Types security requirements may stop working after enforcement so we encourage corresponding developers to follow the Prevent DOM-based cross-site scripting vulnerabilities guide to ensure browser extensions are compatible with new YouTube security standards.
Why it's important
Enabling Trusted Types on YouTube will protect our users against a vast set of cross-site scripting (XSS) attacks. It further enhances our advanced data protection controls to keep users and data safe across more of the extensions they use everyday on YouTube.
What should I do
Viewers and creators
No action required. Users who experience issues may temporarily disable browser extensions that cause problems and inform corresponding developers. If you're having problems playing a YouTube video, we recommend opening YouTube in an incognito window with all extensions disabled. For more troubleshooting steps, see our Help Center article.
Developers
- If your extension modifies HTML, and a user could use it on youtube.com, then we encourage you to follow these steps to check if your extensions are compatible and will operate properly after the feature enforcement:
- Override response headers with the help of Chrome Developer tools. To do so, add the following to the local header overrides for youtube.com:
Content-Security-Policy: require-trusted-types-for 'script' - Bypass YouTube Service worker. Open developer tools, navigate to the Application tab and select "Service workers" in the Application section. Check "Bypass for network" in the Service workers settings.
- As a helping aid, you could enable automatic breakpoints on Trusted Type violations. By design Trusted Types will cause a runtime error if a Trusted Types violation is detected.
- Test your extension workflows. You will get an error in Chrome DevTools developer Console if a Trusted Types violation will occur (as well as a breakpoint hit if you have enabled it).
- Override response headers with the help of Chrome Developer tools. To do so, add the following to the local header overrides for youtube.com:
- If your extension code contains Trusted Types violations, follow the Prevent DOM-based cross-site scripting vulnerabilities guide to resolve them. There are several ways to be Trusted Types compliant, such as removing the offending code, using a library (such as safevalues or DOMPurify), or creating a Trusted Types policy.
You might also want to check this list of frameworks and libraries that could help make your extension Trusted Types compliant (you may be using an old third-party library that is worth updating).
To ensure a seamless experience for users, it is recommended that browser extensions are made Trusted Types compliant before the security feature is rolled out on YouTube. Failure to make code Trusted Types compliant may cause feature breakages for third-party extensions as their DOM manipulations will be blocked by the browser.