forked from WebKit/WebKit
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement trusted types integrations with DOM attribute APIs.
https://bugs.webkit.org/show_bug.cgi?id=270436 Reviewed by Ryosuke Niwa. Implement the spec updates at whatwg/dom#1247 It also removes some expectations in GTK as the results should be in line with the general expectation file. * LayoutTests/TestExpectations: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/GlobalEventHandlers-onclick-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-Element-setAttribute-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-Element-setAttributeNS-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/trusted-types-event-handlers-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/trusted-types-event-handlers.html: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/trusted-types-svg-script-set-href-expected.txt: * LayoutTests/platform/gtk/TestExpectations: * Source/WebCore/dom/Element.cpp: (WebCore::trustedTypesCompliantAttributeValue): (WebCore::Element::validateAttributeIndex const): (WebCore::Element::toggleAttribute): (WebCore::Element::setAttribute): (WebCore::Element::setElementsArrayAttribute): (WebCore::appendAttributes): (WebCore::Element::setAttributeNode): (WebCore::Element::setAttributeNodeNS): (WebCore::Element::setAttributeNS): * Source/WebCore/dom/Element.h: * Source/WebCore/dom/Element.idl: * Source/WebCore/dom/TrustedScript.h: * Source/WebCore/dom/TrustedScriptURL.h: (WebCore::TrustedScriptURL::toString const): Deleted. (WebCore::TrustedScriptURL::toJSON const): Deleted. * Source/WebCore/dom/TrustedType.cpp: (WebCore::stringToTrustedType): (WebCore::trustedTypeForAttribute): * Source/WebCore/dom/TrustedType.h: * Source/WebCore/dom/TrustedTypePolicyFactory.cpp: (WebCore::TrustedTypePolicyFactory::getAttributeType const): * Source/WebKit/WebProcess/InjectedBundle/API/mac/WKDOMElement.mm: (-[WKDOMElement setAttribute:value:]): * Source/WebKitLegacy/mac/DOM/DOMElement.mm: (-[DOMElement setAttribute:value:]): (-[DOMElement setAttributeNS:qualifiedName:value:]): Canonical link: https://commits.webkit.org/278817@main
- Loading branch information
1 parent
ef2e9b1
commit 9a38b69
Showing
20 changed files
with
460 additions
and
415 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 16 additions & 16 deletions
32
...sted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,20 @@ | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
|
|
||
|
|
||
|
|
||
| FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=iframe; Parent=div; Attribute=srcdoc assert_throws_js: function "() => { | ||
| sourceElement.setAttributeNode(sourceAttr); | ||
| }" did not throw | ||
| FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=script; Parent=div; Attribute=src assert_throws_js: function "() => { | ||
| sourceElement.setAttributeNode(sourceAttr); | ||
| }" did not throw | ||
| FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=script; Parent=svg; Attribute=href assert_throws_js: function "() => { | ||
| sourceElement.setAttributeNode(sourceAttr); | ||
| }" did not throw | ||
| FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=script; Parent=svg; Attribute=xlink:href assert_throws_js: function "() => { | ||
| sourceElement.setAttributeNode(sourceAttr); | ||
| }" did not throw | ||
| PASS setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=iframe; Parent=div; Attribute=srcdoc | ||
| PASS setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=script; Parent=div; Attribute=src | ||
| PASS setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=script; Parent=svg; Attribute=href | ||
| PASS setAttribute and setAttributeNode respect the element's node document's global's CSP; | ||
| Element=script; Parent=svg; Attribute=xlink:href | ||
|
|
6 changes: 4 additions & 2 deletions
6
...ts/imported/w3c/web-platform-tests/trusted-types/GlobalEventHandlers-onclick-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,7 @@ | ||
| CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
|
|
||
| PASS a.setAttribte('onclick') sets a trusted script. | ||
| FAIL a.setAttribute('onclick') sets an unsuitable trusted type. assert_unreached: Reached unreachable code | ||
| FAIL a.setAttribute('click') sets a test string. assert_unreached: Reached unreachable code | ||
| PASS a.setAttribute('onclick') sets an unsuitable trusted type. | ||
| PASS a.setAttribute('click') sets a test string. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 18 additions & 17 deletions
35
...platform-tests/trusted-types/block-string-assignment-to-Element-setAttribute-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,23 +1,24 @@ | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
| CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
|
|
||
| FAIL script.src accepts only TrustedScriptURL assert_throws_js: function "_ => { | ||
| elem.setAttribute(attribute, value); | ||
| }" did not throw | ||
| FAIL iframe.srcdoc accepts only TrustedHTML assert_throws_js: function "_ => { | ||
| elem.setAttribute(attribute, value); | ||
| }" did not throw | ||
| FAIL div.onclick accepts only TrustedScript assert_throws_js: function "_ => { | ||
| elem.setAttribute(attribute, value); | ||
| }" did not throw | ||
| FAIL `Script.prototype.setAttribute.SrC = string` throws. assert_throws_js: function "_ => { | ||
| el.setAttribute('SrC', INPUTS.URL); | ||
| }" did not throw | ||
| PASS script.src accepts only TrustedScriptURL | ||
| PASS iframe.srcdoc accepts only TrustedHTML | ||
| PASS div.onclick accepts only TrustedScript | ||
| PASS `Script.prototype.setAttribute.SrC = string` throws. | ||
| PASS script.src accepts string and null after default policy was created. | ||
| FAIL script.src's mutationobservers receive the default policy's value. assert_equals: expected "http://this.is.a.successful.test/" but got "http://this.is.a.scripturl.test/" | ||
| FAIL iframe.srcdoc's mutationobservers receive the default policy's value. assert_equals: expected "Quack, I want to be a duck!" but got "Hi, I want to be transformed!" | ||
| FAIL div.onclick's mutationobservers receive the default policy's value. assert_equals: expected "Meow, I want to be a cat!" but got "Hi, I want to be transformed!" | ||
| PASS script.src's mutationobservers receive the default policy's value. | ||
| PASS iframe.srcdoc's mutationobservers receive the default policy's value. | ||
| PASS div.onclick's mutationobservers receive the default policy's value. | ||
| PASS iframe.srcdoc accepts string and null after default policy was created. | ||
| FAIL div.onclick accepts string and null after default policy was created. assert_equals: expected "Meow, I want to be a cat!" but got "Hi, I want to be transformed!" | ||
| PASS div.onclick accepts string and null after default policy was created. | ||
| PASS a.rel accepts strings | ||
| PASS a.rel accepts null | ||
| FAIL `script.src = setAttributeNode(embed.src)` with string works. assert_equals: expected "http://this.is.a.successful.test/" but got "http://this.is.a.scripturl.test/" | ||
| PASS `script.src = setAttributeNode(embed.src)` with string works. | ||
|
|
8 changes: 5 additions & 3 deletions
8
...atform-tests/trusted-types/block-string-assignment-to-Element-setAttributeNS-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.