The navigator.userActivation API reveals whether the user has interacted with the page through an “activation” gesture such as a click, tap, or key press. User activation gated APIs (such as the fullscreen API) fail without user interaction, and this API allows you to predict such a failure.
Trusted types allow you to lock down insecure parts of the DOM API and prevent client-side cross-site scripting (XSS) attacks.
api.Element.innerHTML.enforces_trusted_types [mdn]api.HTMLScriptElement.innerText.enforces_trusted_types [mdn]api.HTMLScriptElement.src.enforces_trusted_types [mdn]api.HTMLScriptElement.text.enforces_trusted_types [mdn]api.HTMLScriptElement.textContent.enforces_trusted_types [mdn]api.ShadowRoot.innerHTML.enforces_trusted_types [mdn]api.TrustedHTML [mdn]api.TrustedHTML.toString [mdn]api.TrustedScript [mdn]api.TrustedScript.toString [mdn]api.TrustedScriptURL [mdn]api.TrustedScriptURL.toString [mdn]api.TrustedTypePolicy [mdn]api.TrustedTypePolicy.createHTML [mdn]api.TrustedTypePolicy.createScript [mdn]api.TrustedTypePolicy.createScriptURL [mdn]api.TrustedTypePolicy.name [mdn]api.TrustedTypePolicyFactory [mdn]api.TrustedTypePolicyFactory.createPolicy [mdn]api.TrustedTypePolicyFactory.defaultPolicy [mdn]api.TrustedTypePolicyFactory.emptyHTML [mdn]api.TrustedTypePolicyFactory.emptyScript [mdn]api.TrustedTypePolicyFactory.getAttributeType [mdn]api.TrustedTypePolicyFactory.getPropertyType [mdn]api.TrustedTypePolicyFactory.isHTML [mdn]api.TrustedTypePolicyFactory.isScript [mdn]api.TrustedTypePolicyFactory.isScriptURL [mdn]api.setInterval.code_param_enforces_trusted_types [mdn]api.setTimeout.code_param_enforces_trusted_types [mdn]api.trustedTypes [mdn]http.headers.Content-Security-Policy.require-trusted-types-for [mdn]http.headers.Content-Security-Policy.trusted-types [mdn]api.TrustedHTML.toJSON [mdn]api.TrustedScript.toJSON [mdn]api.TrustedScriptURL.toJSON [mdn]The navigator.permissions API checks whether a permission, such as access to geolocation data, has been granted.
When a document is loaded over HTTPS, browsers ensure that none of the document’s resources are loaded over an insecure protocol. Instead, resources that the document attempts to load over an insecure protocol are either loaded over HTTPS or are blocked.
http.mixed-content [mdn]http.mixed-content.blockable_mixed_content [mdn]http.mixed-content.auto_upgrade_video_audio [mdn]http.mixed-content.auto_upgrade_images [mdn]http.mixed-content.block_mixed_downloads [mdn]http.mixed-content.allow_loopback_url [mdn]http.mixed-content.allow_localhost_url [mdn]http.mixed-content.allow_file_urls [mdn]The Upgrade-Insecure-Requests HTTP request header tells the server that the response should redirect to a secure (HTTPS) resource.
When a document is loaded over HTTPS, browsers ensure that none of the document’s resources are loaded over an insecure protocol. Instead, resources that the document attempts to load over an insecure protocol are either loaded over HTTPS or are blocked.
http.mixed-content [mdn]http.mixed-content.blockable_mixed_content [mdn]http.mixed-content.auto_upgrade_video_audio [mdn]http.mixed-content.auto_upgrade_images [mdn]http.mixed-content.block_mixed_downloads [mdn]http.mixed-content.allow_loopback_url [mdn]http.mixed-content.allow_localhost_url [mdn]http.mixed-content.allow_file_urls [mdn]Content Security Policy (CSP) helps to mitigate certain security threats, including cross-site scripting (XSS) and clickjacking attacks. It consists of a set of directives from a website to a browser, which instruct the browser to restrict the things that the site is allowed to do.
http.headers.Content-Security-Policy [mdn]http.headers.Content-Security-Policy-Report-Only [mdn]http.headers.Content-Security-Policy.default-src [mdn]http.headers.Content-Security-Policy.font-src [mdn]http.headers.Content-Security-Policy.frame-src [mdn]http.headers.Content-Security-Policy.img-src [mdn]http.headers.Content-Security-Policy.media-src [mdn]http.headers.Content-Security-Policy.object-src [mdn]http.headers.Content-Security-Policy.script-src [mdn]http.headers.Content-Security-Policy.style-src [mdn]http.headers.Content-Security-Policy.connect-src [mdn]http.headers.Content-Security-Policy.sandbox [mdn]http.headers.Content-Security-Policy.form-action [mdn]http.headers.Content-Security-Policy.child-src [mdn]html.elements.meta.http-equiv.content-security-policy [mdn]http.headers.Content-Security-Policy.frame-ancestors [mdn]http.headers.Content-Security-Policy.upgrade-insecure-requests [mdn]http.headers.Content-Security-Policy.meta-element-support [mdn]api.Element.securitypolicyviolation_event [mdn]api.SecurityPolicyViolationEvent [mdn]api.SecurityPolicyViolationEvent.SecurityPolicyViolationEvent [mdn]api.SecurityPolicyViolationEvent.blockedURI [mdn]api.SecurityPolicyViolationEvent.columnNumber [mdn]api.SecurityPolicyViolationEvent.documentURI [mdn]api.SecurityPolicyViolationEvent.effectiveDirective [mdn]api.SecurityPolicyViolationEvent.lineNumber [mdn]api.SecurityPolicyViolationEvent.originalPolicy [mdn]api.SecurityPolicyViolationEvent.referrer [mdn]api.SecurityPolicyViolationEvent.sourceFile [mdn]api.SecurityPolicyViolationEvent.statusCode [mdn]api.SecurityPolicyViolationEvent.violatedDirective [mdn]api.WorkerGlobalScope.securitypolicyviolation_event [mdn]http.headers.Content-Security-Policy.base-uri [mdn]http.headers.Content-Security-Policy.manifest-src [mdn]http.headers.Content-Security-Policy.worker_support [mdn]api.SecurityPolicyViolationEvent.disposition [mdn]api.SecurityPolicyViolationEvent.sample [mdn]http.headers.Content-Security-Policy.report-sample [mdn]api.Document.securitypolicyviolation_event [mdn]http.headers.Content-Security-Policy.worker-src [mdn]http.headers.Content-Security-Policy.script-src.wasm-unsafe-eval [mdn]http.headers.Content-Security-Policy.script-src-attr [mdn]http.headers.Content-Security-Policy.script-src-elem [mdn]http.headers.Content-Security-Policy.style-src-attr [mdn]http.headers.Content-Security-Policy.style-src-elem [mdn]http.headers.Content-Security-Policy.unsafe-hashes [mdn]http.headers.Content-Security-Policy.script-src.external_scripts [mdn]http.headers.Content-Security-Policy.strict-dynamic [mdn]api.SecurityPolicyViolationEvent.worker_support [mdn]http.headers.Content-Security-Policy.report-to [mdn]api.HTMLIFrameElement.csp [mdn]html.elements.iframe.csp [mdn]api.CSPViolationReportBody [mdn]api.CSPViolationReportBody.blockedURL [mdn]api.CSPViolationReportBody.columnNumber [mdn]api.CSPViolationReportBody.disposition [mdn]api.CSPViolationReportBody.documentURL [mdn]api.CSPViolationReportBody.effectiveDirective [mdn]api.CSPViolationReportBody.lineNumber [mdn]api.CSPViolationReportBody.originalPolicy [mdn]api.CSPViolationReportBody.referrer [mdn]api.CSPViolationReportBody.sample [mdn]api.CSPViolationReportBody.sourceFile [mdn]api.CSPViolationReportBody.statusCode [mdn]api.CSPViolationReportBody.toJSON [mdn]The Upgrade-Insecure-Requests HTTP request header tells the server that the response should redirect to a secure (HTTPS) resource.
Cross-Origin Resource Sharing is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Also known as CORS.
http.headers.Access-Control-Allow-Credentials [mdn]http.headers.Access-Control-Allow-Headers [mdn]http.headers.Access-Control-Allow-Methods [mdn]http.headers.Access-Control-Allow-Origin [mdn]http.headers.Access-Control-Expose-Headers [mdn]http.headers.Access-Control-Max-Age [mdn]http.headers.Access-Control-Request-Headers [mdn]http.headers.Access-Control-Request-Method [mdn]http.headers.Access-Control-Allow-Headers.wildcard [mdn]http.headers.Access-Control-Allow-Methods.wildcard [mdn]http.headers.Access-Control-Expose-Headers.wildcard [mdn]http.headers.Access-Control-Allow-Headers.authorization_not_covered_by_wildcard [mdn]The Strict-Transport-Security HTTP response header informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. Also known as HSTS.
http.headers.Strict-Transport-Security [mdn]Content Security Policy (CSP) helps to mitigate certain security threats, including cross-site scripting (XSS) and clickjacking attacks. It consists of a set of directives from a website to a browser, which instruct the browser to restrict the things that the site is allowed to do.
http.headers.Content-Security-Policy [mdn]http.headers.Content-Security-Policy-Report-Only [mdn]http.headers.Content-Security-Policy.default-src [mdn]http.headers.Content-Security-Policy.font-src [mdn]http.headers.Content-Security-Policy.frame-src [mdn]http.headers.Content-Security-Policy.img-src [mdn]http.headers.Content-Security-Policy.media-src [mdn]http.headers.Content-Security-Policy.object-src [mdn]http.headers.Content-Security-Policy.script-src [mdn]http.headers.Content-Security-Policy.style-src [mdn]http.headers.Content-Security-Policy.connect-src [mdn]http.headers.Content-Security-Policy.sandbox [mdn]http.headers.Content-Security-Policy.form-action [mdn]http.headers.Content-Security-Policy.child-src [mdn]html.elements.meta.http-equiv.content-security-policy [mdn]http.headers.Content-Security-Policy.frame-ancestors [mdn]http.headers.Content-Security-Policy.upgrade-insecure-requests [mdn]http.headers.Content-Security-Policy.meta-element-support [mdn]api.Element.securitypolicyviolation_event [mdn]api.SecurityPolicyViolationEvent [mdn]api.SecurityPolicyViolationEvent.SecurityPolicyViolationEvent [mdn]api.SecurityPolicyViolationEvent.blockedURI [mdn]api.SecurityPolicyViolationEvent.columnNumber [mdn]api.SecurityPolicyViolationEvent.documentURI [mdn]api.SecurityPolicyViolationEvent.effectiveDirective [mdn]api.SecurityPolicyViolationEvent.lineNumber [mdn]api.SecurityPolicyViolationEvent.originalPolicy [mdn]api.SecurityPolicyViolationEvent.referrer [mdn]api.SecurityPolicyViolationEvent.sourceFile [mdn]api.SecurityPolicyViolationEvent.statusCode [mdn]api.SecurityPolicyViolationEvent.violatedDirective [mdn]api.WorkerGlobalScope.securitypolicyviolation_event [mdn]http.headers.Content-Security-Policy.base-uri [mdn]http.headers.Content-Security-Policy.manifest-src [mdn]http.headers.Content-Security-Policy.worker_support [mdn]api.SecurityPolicyViolationEvent.disposition [mdn]api.SecurityPolicyViolationEvent.sample [mdn]http.headers.Content-Security-Policy.report-sample [mdn]api.Document.securitypolicyviolation_event [mdn]http.headers.Content-Security-Policy.worker-src [mdn]http.headers.Content-Security-Policy.script-src.wasm-unsafe-eval [mdn]http.headers.Content-Security-Policy.script-src-attr [mdn]http.headers.Content-Security-Policy.script-src-elem [mdn]http.headers.Content-Security-Policy.style-src-attr [mdn]http.headers.Content-Security-Policy.style-src-elem [mdn]http.headers.Content-Security-Policy.unsafe-hashes [mdn]http.headers.Content-Security-Policy.script-src.external_scripts [mdn]http.headers.Content-Security-Policy.strict-dynamic [mdn]api.SecurityPolicyViolationEvent.worker_support [mdn]http.headers.Content-Security-Policy.report-to [mdn]api.HTMLIFrameElement.csp [mdn]html.elements.iframe.csp [mdn]api.CSPViolationReportBody [mdn]api.CSPViolationReportBody.blockedURL [mdn]api.CSPViolationReportBody.columnNumber [mdn]api.CSPViolationReportBody.disposition [mdn]api.CSPViolationReportBody.documentURL [mdn]api.CSPViolationReportBody.effectiveDirective [mdn]api.CSPViolationReportBody.lineNumber [mdn]api.CSPViolationReportBody.originalPolicy [mdn]api.CSPViolationReportBody.referrer [mdn]api.CSPViolationReportBody.sample [mdn]api.CSPViolationReportBody.sourceFile [mdn]api.CSPViolationReportBody.statusCode [mdn]api.CSPViolationReportBody.toJSON [mdn]Cross-Origin Resource Sharing is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. Also known as CORS.
http.headers.Access-Control-Allow-Credentials [mdn]http.headers.Access-Control-Allow-Headers [mdn]http.headers.Access-Control-Allow-Methods [mdn]http.headers.Access-Control-Allow-Origin [mdn]http.headers.Access-Control-Expose-Headers [mdn]http.headers.Access-Control-Max-Age [mdn]http.headers.Access-Control-Request-Headers [mdn]http.headers.Access-Control-Request-Method [mdn]http.headers.Access-Control-Allow-Headers.wildcard [mdn]http.headers.Access-Control-Allow-Methods.wildcard [mdn]http.headers.Access-Control-Expose-Headers.wildcard [mdn]http.headers.Access-Control-Allow-Headers.authorization_not_covered_by_wildcard [mdn]The Strict-Transport-Security HTTP response header informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. Also known as HSTS.
http.headers.Strict-Transport-Security [mdn]