mdn · Josh-Cena · Jan 21, 2026 · Jan 8, 2026 · Jan 9, 2026 · Jan 9, 2026
@@ -159,10 +159,13 @@ These cases are evaluated the untrusted script is added to the document.
 
 #### TrustedScript
 
-- [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)
+- [`AsyncFunction()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/AsyncFunction/AsyncFunction)
+- [`AsyncGeneratorFunction()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/AsyncGeneratorFunction/AsyncGeneratorFunction)
+- {{jsxref("eval()")}}
 - [`Element.setAttribute()`](/en-US/docs/Web/API/Element/setAttribute#value) (`value` argument)
 - [`Element.setAttributeNS()`](/en-US/docs/Web/API/Element/setAttributeNS#value) (`value` argument)
 - [`Function()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function)
+- [`GeneratorFunction()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/GeneratorFunction/GeneratorFunction)
 - {{domxref("HTMLScriptElement.innerText")}}
 - {{domxref("HTMLScriptElement.textContent")}}
 - {{domxref("HTMLScriptElement.text")}}

@@ -7,6 +7,14 @@ browser-compat: javascript.builtins.AsyncFunction.AsyncFunction
 sidebar: jsref
 ---
 
+> [!WARNING]
+> The arguments passed this method are dynamically evaluated and executed as JavaScript.
+> APIs like this are known as [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage), and are potentially a vector for [cross-site-scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks.
+>
+> You can mitigate this risk by always passing {{domxref("TrustedScript")}} objects instead of strings and [enforcing trusted types](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types).
+>
+> See [Security considerations](#security_considerations) in the [`Function()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function) for more information.
+
 The **`AsyncFunction()`** constructor creates {{jsxref("AsyncFunction")}} objects.
 
 Note that `AsyncFunction` is _not_ a global object. It can be obtained with the following code:
@@ -32,14 +40,18 @@ AsyncFunction(arg1, arg2, /* …, */ argN, functionBody)
 ```
 
 > [!NOTE]
-> `AsyncFunction()` can be called with or without [`new`](/en-US/docs/Web/JavaScript/Reference/Operators/new). Both create a new `AsyncFunction` instance.
+> `AsyncFunction()` can be called with or without [`new`](/en-US/docs/Web/JavaScript/Reference/Operators/new).
+> Both create a new `AsyncFunction` instance.
 
 ### Parameters
 
 See {{jsxref("Function/Function", "Function()")}}.
 
 ## Examples
 
+Note that these examples omit the use of trusted types for brevity.
+For code showing the usual approach, see [Using `TrustedScript`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#using_trustedscript) in `eval()`.
+
 ### Creating an async function from an AsyncFunction() constructor
 
 ```js
@@ -56,7 +68,7 @@ const AsyncFunction = async function () {}.constructor;
 const fn = new AsyncFunction(
   "a",
   "b",
-  "return await resolveAfter2Seconds(a) + await resolveAfter2Seconds(b);",
+  "return await resolveAfter2Seconds(a) + await resolveAfter2Seconds(b);"
 );
 
 fn(10, 20).then((v) => {

diff --git a/files/en-us/web/javascript/reference/global_objects/asyncfunction/index.md b/files/en-us/web/javascript/reference/global_objects/asyncfunction/index.md
@@ -6,6 +6,14 @@ browser-compat: javascript.builtins.AsyncFunction
 sidebar: jsref
 ---
 
+> [!WARNING]
+> The arguments passed this method are dynamically evaluated and executed as JavaScript.
+> APIs like this are known as [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage), and are potentially a vector for [cross-site-scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks.
+>
+> You can mitigate this risk by always passing {{domxref("TrustedScript")}} objects instead of strings and [enforcing trusted types](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types).
+>
+> See [Security considerations](#security_considerations) for more information.
+
 The **`AsyncFunction`** object provides methods for [async functions](/en-US/docs/Web/JavaScript/Reference/Statements/async_function). In JavaScript, every async function is actually an `AsyncFunction` object.
 
 Note that `AsyncFunction` is _not_ a global object. It can be obtained with the following code:

@@ -7,6 +7,14 @@ browser-compat: javascript.builtins.AsyncGeneratorFunction.AsyncGeneratorFunctio
 sidebar: jsref
 ---
 
+> [!WARNING]
+> The arguments passed this method are dynamically evaluated and executed as JavaScript.
+> APIs like this are known as [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage), and are potentially a vector for [cross-site-scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks.
+>
+> You can mitigate this risk by always passing {{domxref("TrustedScript")}} objects instead of strings and [enforcing trusted types](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types).
+>
+> See [Security considerations](#security_considerations) in the [`Function()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function) for more information.
+
 The **`AsyncGeneratorFunction()`** constructor creates {{jsxref("AsyncGeneratorFunction")}} objects.
 
 Note that `AsyncGeneratorFunction` is not a global object. It could be obtained by evaluating the following code.
@@ -31,15 +39,18 @@ AsyncGeneratorFunction(arg1, arg2, functionBody)
 AsyncGeneratorFunction(arg1, arg2, /* …, */ argN, functionBody)
 ```
 
-> [!NOTE]
-> `AsyncGeneratorFunction()` can be called with or without [`new`](/en-US/docs/Web/JavaScript/Reference/Operators/new). Both create a new `AsyncGeneratorFunction` instance.
+> [!NOTE] > `AsyncGeneratorFunction()` can be called with or without [`new`](/en-US/docs/Web/JavaScript/Reference/Operators/new).
+> Both create a new `AsyncGeneratorFunction` instance.
 
 ### Parameters
 
 See {{jsxref("Function/Function", "Function()")}}.
 
 ## Examples
 
+Note that these examples omit the use of trusted types for brevity.
+For code showing the usual approach, see [Using `TrustedScript`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#using_trustedscript) in `eval()`.
+
 ### Using the constructor
 
 The following example uses the `AsyncGeneratorFunction` constructor to create an async generator function.

@@ -7,6 +7,14 @@ browser-compat: javascript.builtins.GeneratorFunction.GeneratorFunction
 sidebar: jsref
 ---
 
+> [!WARNING]
+> The arguments passed this method are dynamically evaluated and executed as JavaScript.
+> APIs like this are known as [injection sinks](/en-US/docs/Web/API/Trusted_Types_API#concepts_and_usage), and are potentially a vector for [cross-site-scripting (XSS)](/en-US/docs/Web/Security/Attacks/XSS) attacks.
+>
+> You can mitigate this risk by always passing {{domxref("TrustedScript")}} objects instead of strings and [enforcing trusted types](/en-US/docs/Web/API/Trusted_Types_API#using_a_csp_to_enforce_trusted_types).
+>
+> See [Security considerations](#security_considerations) in the [`Function()` constructor](/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function) for more information.
+
 The **`GeneratorFunction()`** constructor creates {{jsxref("GeneratorFunction")}} objects.
 
 Note that `GeneratorFunction` is _not_ a global object. It can be obtained with the following code:
@@ -32,14 +40,18 @@ GeneratorFunction(arg1, arg2, /* …, */ argN, functionBody)
 ```
 
 > [!NOTE]
-> `GeneratorFunction()` can be called with or without [`new`](/en-US/docs/Web/JavaScript/Reference/Operators/new). Both create a new `GeneratorFunction` instance.
+> `GeneratorFunction()` can be called with or without [`new`](/en-US/docs/Web/JavaScript/Reference/Operators/new).
+> Both create a new `GeneratorFunction` instance.
 
 ### Parameters
 
 See {{jsxref("Function/Function", "Function()")}}.
 
 ## Examples
 
+Note that these examples omit the use of trusted types for brevity.
+For code showing the usual approach, see [Using `TrustedScript`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#using_trustedscript) in `eval()`.
+
 ### Creating and using a GeneratorFunction() constructor
 
 ```js