CSP trusted types is an API that allows a website to reduce the possibility of XSS by controlling what kind of content can be placed in a "sink" like .innerHTML.

This release introduces a flexible callback that allows the calling code to provide its own sanitization or rejection of an server response for an <include-fragment-element>. For example, the site may want to allow the server to send a header to assert that certain HTML is sanitized and safe to use as-is, or the site may want to run the response through a sanitizer.

What's Changed

• move AOR to primer by @keithamus in #80
• Switch Promise chaining to async-await syntax. by @lgarron in #82
• Fix the location of try in new async code. by @lgarron in #83
• Fix up types for cached and returned data. by @lgarron in #84
• Add a script for npm run format. by @lgarron in #85
• Switch to web test runner by @keithamus in #86
• Add setCSPTrustedTypesPolicy() for CSP trusted types. by @lgarron in #81
• throw errors rather than resolving them by @keithamus in #87

New Contributors

• @lgarron made their first contribution in #82
• @rzhade3 and @fletchto99 made their first contribution in #81

Full Changelog: v6.0.1...v6.1.0