Expand trusted types guidance

[wbamberg]

I had thought to defer updates to the trusted types docs until it ships cross-browser, but given conversations like w3c-cg/swag#9 (comment) and our general desire to talk about this API, I thought it was worth expanding on things a little now.

We should think of this PR as a stop-gap though: I still think we should revisit these docs, write a proper guide, and refresh all the API pages, when the API ships in Firefox or Safari.

This PR expands the Trusted Types API overview page in two ways:

• explain better about enforcement using a CSP
• explain about polyfills, since people can get the benefit of this API cross-browser now

I also updated the rest of the section to be clearer about what the API actually does and how it connects with XSS - I thought things like "lock down the insecure parts of the DOM API" weren't very meaningful.

I hope I understood the bit about polyfills!

@aaronshim, @lukewarlow

[github-actions]

Preview URLs (6 pages)

• /en-US/docs/Web/API/TrustedHTML
• /en-US/docs/Web/API/TrustedScript/toString
• /en-US/docs/Web/API/TrustedScriptURL/toString
• /en-US/docs/Web/API/TrustedScriptURL
• /en-US/docs/Web/API/TrustedScript
• /en-US/docs/Web/API/Trusted_Types_API

External URLs (3)

URL: /en-US/docs/Web/API/Trusted_Types_API
Title: Trusted Types API

• https://github.com/cure53/DOMPurify (1 time) (Note! This may be a new URL 👀)
• https://github.com/w3c/trusted-types (1 time) (Note! This may be a new URL 👀)
• https://github.com/w3c/trusted-types?tab=readme-ov-file (2 times) (Note! This may be a new URL 👀)

(comment last updated: 2025-02-02 17:07:17)

[lukewarlow]

I will try to review this change during this week.

The polyfill specifically might need some updates to match it with latest spec changes I'm not sure of its current state.