summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/trusted-types
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/trusted-types')
-rw-r--r--testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html38
-rw-r--r--testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html45
-rw-r--r--testing/web-platform/tests/trusted-types/idlharness.window.js (renamed from testing/web-platform/tests/trusted-types/idlharness.tentative.window.js.html)0
-rw-r--r--testing/web-platform/tests/trusted-types/support/helper.sub.js11
-rw-r--r--testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html2
-rw-r--r--testing/web-platform/tests/trusted-types/support/navigation-support.html2
-rw-r--r--testing/web-platform/tests/trusted-types/trusted-types-from-literal.tentative.html (renamed from testing/web-platform/tests/trusted-types/trusted-types-from-literal.html)0
7 files changed, 70 insertions, 28 deletions
diff --git a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html
index 1d39a804f3..295890f319 100644
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html
@@ -13,10 +13,10 @@
// TrustedScriptURL Assignments
const scriptURLTestCases = [
- [ 'embed', 'src' ],
- [ 'object', 'data' ],
- [ 'object', 'codeBase' ],
- [ 'script', 'src' ]
+ [ 'embed', 'src', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL],
+ [ 'object', 'data', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL ],
+ [ 'object', 'codeBase', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL ],
+ [ 'script', 'src', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL ]
];
scriptURLTestCases.forEach(c => {
@@ -31,12 +31,12 @@
// TrustedHTML Assignments
const HTMLTestCases = [
- [ 'iframe', 'srcdoc' ]
+ [ 'iframe', 'srcdoc' , INPUTS.HTML, RESULTS.HTML]
];
HTMLTestCases.forEach(c => {
test(t => {
- assert_element_accepts_trusted_html_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], RESULTS.HTML);
+ assert_element_accepts_trusted_html_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], c[3]);
assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
@@ -45,12 +45,12 @@
// TrustedScript Assignments
const ScriptTestCases = [
- [ 'div', 'onclick' ]
+ [ 'div', 'onclick' , INPUTS.SCRIPT, RESULTS.SCRIPT]
];
ScriptTestCases.forEach(c => {
test(t => {
- assert_element_accepts_trusted_script_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], RESULTS.SCRIPT);
+ assert_element_accepts_trusted_script_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], c[3]);
assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
}, c[0] + "." + c[1] + " accepts only TrustedScript");
@@ -70,21 +70,37 @@
let p = window.trustedTypes.createPolicy("default", { createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true);
scriptURLTestCases.forEach(c => {
test(t => {
- assert_element_accepts_trusted_type(c[0], c[1], INPUTS.SCRIPTURL, RESULTS.SCRIPTURL);
+ assert_element_accepts_trusted_type(c[0], c[1], c[2], c[3]);
assert_element_accepts_trusted_type(c[0], c[1], null, window.location.toString().replace(/[^\/]*$/, "null"));
}, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
});
+ scriptURLTestCases.concat(HTMLTestCases).concat(ScriptTestCases).forEach(c => {
+ async_test(t => {
+ const testElement = document.createElement(c[0]);
+
+ const observer = new MutationObserver(t.step_func_done((aMutations, aObserver) => {
+ assert_equals(aMutations.length, 1);
+ const newValue = aMutations[0].target.getAttribute(c[1]);
+ assert_equals(newValue, c[3]);
+ }));
+
+ observer.observe(testElement, { attributes: true});
+
+ testElement.setAttribute(c[1], c[2]);
+ }, c[0] + "." + c[1] + "'s mutationobservers receive the default policy's value.");
+ });
+
HTMLTestCases.forEach(c => {
test(t => {
- assert_element_accepts_trusted_type(c[0], c[1], INPUTS.HTML, RESULTS.HTML);
+ assert_element_accepts_trusted_type(c[0], c[1], c[2], c[3]);
assert_element_accepts_trusted_type(c[0], c[1], null, "null");
}, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
});
ScriptTestCases.forEach(c => {
test(t => {
- assert_element_accepts_trusted_type_explicit_set(c[0], c[1], INPUTS.SCRIPT, RESULTS.SCRIPT);
+ assert_element_accepts_trusted_type_explicit_set(c[0], c[1], c[2], c[3]);
assert_element_accepts_trusted_type_explicit_set(c[0], c[1], null, "null");
}, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
});
diff --git a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html
index 346e077a66..b7f74be6b7 100644
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html
@@ -21,13 +21,15 @@
assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL);
}, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)");
- // Unknown, namespaced attributes should not be TT checked:
+ const htmlNamespace = "http://www.w3.org/1999/xhtml";
+
+ // Unknown attributes should not be TT checked:
test(t => {
- assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string');
+ assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string', htmlNamespace, null);
}, "Element.setAttributeNS accepts untrusted string for non-specced accessor");
test(t => {
- assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null');
+ assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null', htmlNamespace, null);
}, "Element.setAttributeNS accepts null for non-specced accessor");
// Setup trusted values for use in subsequent tests.
@@ -35,26 +37,49 @@
const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML);
const script = createScript_policy(window, '7').createScript(INPUTS.Script);
- const xlink = "http://www.w3.org/1999/xlink";
- const svg = "http://www.w3.org/2000/svg";
+ const xlinkNamespace = "http://www.w3.org/1999/xlink";
+ const svgNamespace = "http://www.w3.org/2000/svg";
// svg:script xlink:href=... expects a TrustedScriptURL.
// Assigning a TrustedScriptURL works.
test(t => {
- let elem = document.createElementNS(svg, "script");
- elem.setAttributeNS(xlink, "href", script_url);
+ let elem = document.createElementNS(svgNamespace, "script");
+ elem.setAttributeNS(xlinkNamespace, "href", script_url);
assert_equals("" + RESULTS.ScriptURL,
- elem.getAttributeNodeNS(xlink, "href").value);
+ elem.getAttributeNodeNS(xlinkNamespace, "href").value);
}, "Assigning TrustedScriptURL to <svg:script xlink:href=...> works");
// Assigning things that ought to not work.
test(t => {
- let elem = document.createElementNS(svg, "script");
+ let elem = document.createElementNS(svgNamespace, "script");
const values = [ "abc", null, html, script ];
for (const v of values) {
assert_throws_js(TypeError, _ => {
- elem.setAttributeNS(xlink, "href", v);
+ elem.setAttributeNS(xlinkNamespace, "href", v);
});
}
}, "Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works");
+
+ // <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>.
+ const nonLowerCaseTests = [
+ { element: "iframe", attribute: "SRCDOC", elementNamespace: htmlNamespace },
+ { element: "embed", attribute: "SRC", elementNamespace: htmlNamespace },
+ { element: "script", attribute: "SRC", elementNamespace: htmlNamespace },
+ { element: "object", attribute: "DATA", elementNamespace: htmlNamespace },
+ { element: "object", attribute: "CODEBASE", elementNamespace: htmlNamespace },
+ { element: "script", attribute: "HREF", elementNamespace: svgNamespace },
+ { element: "script", attribute: "HREF", elementNamespace: svgNamespace,
+ attributeNamespace: xlinkNamespace },
+ ];
+
+ for (const testData of nonLowerCaseTests) {
+ const attributeNamespace = testData.attributeNamespace ?? null;
+
+ test(t => {
+ assert_element_accepts_non_trusted_type_set_ns(testData.element, testData.attribute, "v",
+ "v", testData.elementNamespace, attributeNamespace);
+ }, "Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute \"" +
+ testData.attribute + "\" (ns=" + attributeNamespace + ") for \"" + testData.element +
+ "\" element (ns=" + testData.elementNamespace + ").");
+ }
</script>
diff --git a/testing/web-platform/tests/trusted-types/idlharness.tentative.window.js.html b/testing/web-platform/tests/trusted-types/idlharness.window.js
index 07847fdb39..07847fdb39 100644
--- a/testing/web-platform/tests/trusted-types/idlharness.tentative.window.js.html
+++ b/testing/web-platform/tests/trusted-types/idlharness.window.js
diff --git a/testing/web-platform/tests/trusted-types/support/helper.sub.js b/testing/web-platform/tests/trusted-types/support/helper.sub.js
index 2d1bd436bd..1775cd985c 100644
--- a/testing/web-platform/tests/trusted-types/support/helper.sub.js
+++ b/testing/web-platform/tests/trusted-types/support/helper.sub.js
@@ -125,7 +125,7 @@ function assert_element_accepts_non_trusted_type_explicit_set(tag, attribute, va
assert_equals(elem.getAttribute(attribute), expected);
}
-let namespace = 'http://www.w3.org/1999/xhtml';
+let namespace = null;
function assert_element_accepts_trusted_html_set_ns(win, c, t, tag, attribute, expected) {
let p = createHTML_policy(win, c);
let html = p.createHTML(INPUTS.HTML);
@@ -158,9 +158,10 @@ function assert_throws_no_trusted_type_set_ns(tag, attribute, value) {
});
}
-function assert_element_accepts_non_trusted_type_set_ns(tag, attribute, value, expected) {
- let elem = document.createElement(tag);
- elem.setAttributeNS(namespace, attribute, value);
- let attr_node = elem.getAttributeNodeNS(namespace, attribute);
+function assert_element_accepts_non_trusted_type_set_ns(tag, attribute, value, expected,
+ elementNamespace, attributeNamespace) {
+ let elem = document.createElementNS(elementNamespace, tag);
+ elem.setAttributeNS(attributeNamespace, attribute, value);
+ let attr_node = elem.getAttributeNodeNS(attributeNamespace, attribute);
assert_equals(attr_node.value + "", expected);
}
diff --git a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html
index 5f7856fabb..a16995ba90 100644
--- a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html
+++ b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html
@@ -31,7 +31,7 @@
// Navigate to the non-report-only version of the test. That has the same
// event listening setup as this, but is a different target URI.
const target_script = `location.href='${location.href.replace("-report-only", "") + "#continue"}';`;
- const target = `javascript:"<script>${target_script}</scri${""}pt>"`;
+ const target = `javascript:${target_script}`;
// Navigate the anchor, but only after the content is loaded (so that we
// won't disturb delivery of that event to the opener.
diff --git a/testing/web-platform/tests/trusted-types/support/navigation-support.html b/testing/web-platform/tests/trusted-types/support/navigation-support.html
index 5e02e6d4bf..c2c8a82f51 100644
--- a/testing/web-platform/tests/trusted-types/support/navigation-support.html
+++ b/testing/web-platform/tests/trusted-types/support/navigation-support.html
@@ -32,7 +32,7 @@
// re-use the messageing mechanisms above. In order to not end up in a loop,
// we'll only click if we don't find fragment in the current URL.
const target_script = `location.href='${location.href}&continue';`;
- const target = `javascript:"<script>${target_script}</scri${""}pt>"`;
+ const target = `javascript:${target_script}`;
const anchor = document.getElementById("anchor");
anchor.href = target;
diff --git a/testing/web-platform/tests/trusted-types/trusted-types-from-literal.html b/testing/web-platform/tests/trusted-types/trusted-types-from-literal.tentative.html
index a7d5659e16..a7d5659e16 100644
--- a/testing/web-platform/tests/trusted-types/trusted-types-from-literal.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-from-literal.tentative.html
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-20 12:52:36 +0000