diff options
Diffstat (limited to 'testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html')
-rw-r--r-- | testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html | 45 |
1 files changed, 35 insertions, 10 deletions
diff --git a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html index 346e077a66..b7f74be6b7 100644 --- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html +++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html @@ -21,13 +21,15 @@ assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL); }, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)"); - // Unknown, namespaced attributes should not be TT checked: + const htmlNamespace = "http://www.w3.org/1999/xhtml"; + + // Unknown attributes should not be TT checked: test(t => { - assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string'); + assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string', htmlNamespace, null); }, "Element.setAttributeNS accepts untrusted string for non-specced accessor"); test(t => { - assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null'); + assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null', htmlNamespace, null); }, "Element.setAttributeNS accepts null for non-specced accessor"); // Setup trusted values for use in subsequent tests. @@ -35,26 +37,49 @@ const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML); const script = createScript_policy(window, '7').createScript(INPUTS.Script); - const xlink = "http://www.w3.org/1999/xlink"; - const svg = "http://www.w3.org/2000/svg"; + const xlinkNamespace = "http://www.w3.org/1999/xlink"; + const svgNamespace = "http://www.w3.org/2000/svg"; // svg:script xlink:href=... expects a TrustedScriptURL. // Assigning a TrustedScriptURL works. test(t => { - let elem = document.createElementNS(svg, "script"); - elem.setAttributeNS(xlink, "href", script_url); + let elem = document.createElementNS(svgNamespace, "script"); + elem.setAttributeNS(xlinkNamespace, "href", script_url); assert_equals("" + RESULTS.ScriptURL, - elem.getAttributeNodeNS(xlink, "href").value); + elem.getAttributeNodeNS(xlinkNamespace, "href").value); }, "Assigning TrustedScriptURL to <svg:script xlink:href=...> works"); // Assigning things that ought to not work. test(t => { - let elem = document.createElementNS(svg, "script"); + let elem = document.createElementNS(svgNamespace, "script"); const values = [ "abc", null, html, script ]; for (const v of values) { assert_throws_js(TypeError, _ => { - elem.setAttributeNS(xlink, "href", v); + elem.setAttributeNS(xlinkNamespace, "href", v); }); } }, "Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works"); + + // <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. + const nonLowerCaseTests = [ + { element: "iframe", attribute: "SRCDOC", elementNamespace: htmlNamespace }, + { element: "embed", attribute: "SRC", elementNamespace: htmlNamespace }, + { element: "script", attribute: "SRC", elementNamespace: htmlNamespace }, + { element: "object", attribute: "DATA", elementNamespace: htmlNamespace }, + { element: "object", attribute: "CODEBASE", elementNamespace: htmlNamespace }, + { element: "script", attribute: "HREF", elementNamespace: svgNamespace }, + { element: "script", attribute: "HREF", elementNamespace: svgNamespace, + attributeNamespace: xlinkNamespace }, + ]; + + for (const testData of nonLowerCaseTests) { + const attributeNamespace = testData.attributeNamespace ?? null; + + test(t => { + assert_element_accepts_non_trusted_type_set_ns(testData.element, testData.attribute, "v", + "v", testData.elementNamespace, attributeNamespace); + }, "Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute \"" + + testData.attribute + "\" (ns=" + attributeNamespace + ") for \"" + testData.element + + "\" element (ns=" + testData.elementNamespace + ")."); + } </script> |