diff options
Diffstat (limited to 'testing/web-platform/tests/trusted-types')
-rw-r--r-- | testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html | 38 | ||||
-rw-r--r-- | testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html | 45 | ||||
-rw-r--r-- | testing/web-platform/tests/trusted-types/idlharness.window.js (renamed from testing/web-platform/tests/trusted-types/idlharness.tentative.window.js.html) | 0 | ||||
-rw-r--r-- | testing/web-platform/tests/trusted-types/support/helper.sub.js | 11 | ||||
-rw-r--r-- | testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html | 2 | ||||
-rw-r--r-- | testing/web-platform/tests/trusted-types/support/navigation-support.html | 2 | ||||
-rw-r--r-- | testing/web-platform/tests/trusted-types/trusted-types-from-literal.tentative.html (renamed from testing/web-platform/tests/trusted-types/trusted-types-from-literal.html) | 0 |
7 files changed, 70 insertions, 28 deletions
diff --git a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html index 1d39a804f3..295890f319 100644 --- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html +++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.html @@ -13,10 +13,10 @@ // TrustedScriptURL Assignments const scriptURLTestCases = [ - [ 'embed', 'src' ], - [ 'object', 'data' ], - [ 'object', 'codeBase' ], - [ 'script', 'src' ] + [ 'embed', 'src', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL], + [ 'object', 'data', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL ], + [ 'object', 'codeBase', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL ], + [ 'script', 'src', INPUTS.SCRIPTURL, RESULTS.SCRIPTURL ] ]; scriptURLTestCases.forEach(c => { @@ -31,12 +31,12 @@ // TrustedHTML Assignments const HTMLTestCases = [ - [ 'iframe', 'srcdoc' ] + [ 'iframe', 'srcdoc' , INPUTS.HTML, RESULTS.HTML] ]; HTMLTestCases.forEach(c => { test(t => { - assert_element_accepts_trusted_html_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], RESULTS.HTML); + assert_element_accepts_trusted_html_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], c[3]); assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string'); assert_throws_no_trusted_type_explicit_set(c[0], c[1], null); assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script')); @@ -45,12 +45,12 @@ // TrustedScript Assignments const ScriptTestCases = [ - [ 'div', 'onclick' ] + [ 'div', 'onclick' , INPUTS.SCRIPT, RESULTS.SCRIPT] ]; ScriptTestCases.forEach(c => { test(t => { - assert_element_accepts_trusted_script_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], RESULTS.SCRIPT); + assert_element_accepts_trusted_script_explicit_set(window, c[0] + "-" + c[1], t, c[0], c[1], c[3]); assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string'); assert_throws_no_trusted_type_explicit_set(c[0], c[1], null); }, c[0] + "." + c[1] + " accepts only TrustedScript"); @@ -70,21 +70,37 @@ let p = window.trustedTypes.createPolicy("default", { createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true); scriptURLTestCases.forEach(c => { test(t => { - assert_element_accepts_trusted_type(c[0], c[1], INPUTS.SCRIPTURL, RESULTS.SCRIPTURL); + assert_element_accepts_trusted_type(c[0], c[1], c[2], c[3]); assert_element_accepts_trusted_type(c[0], c[1], null, window.location.toString().replace(/[^\/]*$/, "null")); }, c[0] + "." + c[1] + " accepts string and null after default policy was created."); }); + scriptURLTestCases.concat(HTMLTestCases).concat(ScriptTestCases).forEach(c => { + async_test(t => { + const testElement = document.createElement(c[0]); + + const observer = new MutationObserver(t.step_func_done((aMutations, aObserver) => { + assert_equals(aMutations.length, 1); + const newValue = aMutations[0].target.getAttribute(c[1]); + assert_equals(newValue, c[3]); + })); + + observer.observe(testElement, { attributes: true}); + + testElement.setAttribute(c[1], c[2]); + }, c[0] + "." + c[1] + "'s mutationobservers receive the default policy's value."); + }); + HTMLTestCases.forEach(c => { test(t => { - assert_element_accepts_trusted_type(c[0], c[1], INPUTS.HTML, RESULTS.HTML); + assert_element_accepts_trusted_type(c[0], c[1], c[2], c[3]); assert_element_accepts_trusted_type(c[0], c[1], null, "null"); }, c[0] + "." + c[1] + " accepts string and null after default policy was created."); }); ScriptTestCases.forEach(c => { test(t => { - assert_element_accepts_trusted_type_explicit_set(c[0], c[1], INPUTS.SCRIPT, RESULTS.SCRIPT); + assert_element_accepts_trusted_type_explicit_set(c[0], c[1], c[2], c[3]); assert_element_accepts_trusted_type_explicit_set(c[0], c[1], null, "null"); }, c[0] + "." + c[1] + " accepts string and null after default policy was created."); }); diff --git a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html index 346e077a66..b7f74be6b7 100644 --- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html +++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html @@ -21,13 +21,15 @@ assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL); }, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)"); - // Unknown, namespaced attributes should not be TT checked: + const htmlNamespace = "http://www.w3.org/1999/xhtml"; + + // Unknown attributes should not be TT checked: test(t => { - assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string'); + assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string', htmlNamespace, null); }, "Element.setAttributeNS accepts untrusted string for non-specced accessor"); test(t => { - assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null'); + assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null', htmlNamespace, null); }, "Element.setAttributeNS accepts null for non-specced accessor"); // Setup trusted values for use in subsequent tests. @@ -35,26 +37,49 @@ const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML); const script = createScript_policy(window, '7').createScript(INPUTS.Script); - const xlink = "http://www.w3.org/1999/xlink"; - const svg = "http://www.w3.org/2000/svg"; + const xlinkNamespace = "http://www.w3.org/1999/xlink"; + const svgNamespace = "http://www.w3.org/2000/svg"; // svg:script xlink:href=... expects a TrustedScriptURL. // Assigning a TrustedScriptURL works. test(t => { - let elem = document.createElementNS(svg, "script"); - elem.setAttributeNS(xlink, "href", script_url); + let elem = document.createElementNS(svgNamespace, "script"); + elem.setAttributeNS(xlinkNamespace, "href", script_url); assert_equals("" + RESULTS.ScriptURL, - elem.getAttributeNodeNS(xlink, "href").value); + elem.getAttributeNodeNS(xlinkNamespace, "href").value); }, "Assigning TrustedScriptURL to <svg:script xlink:href=...> works"); // Assigning things that ought to not work. test(t => { - let elem = document.createElementNS(svg, "script"); + let elem = document.createElementNS(svgNamespace, "script"); const values = [ "abc", null, html, script ]; for (const v of values) { assert_throws_js(TypeError, _ => { - elem.setAttributeNS(xlink, "href", v); + elem.setAttributeNS(xlinkNamespace, "href", v); }); } }, "Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works"); + + // <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. + const nonLowerCaseTests = [ + { element: "iframe", attribute: "SRCDOC", elementNamespace: htmlNamespace }, + { element: "embed", attribute: "SRC", elementNamespace: htmlNamespace }, + { element: "script", attribute: "SRC", elementNamespace: htmlNamespace }, + { element: "object", attribute: "DATA", elementNamespace: htmlNamespace }, + { element: "object", attribute: "CODEBASE", elementNamespace: htmlNamespace }, + { element: "script", attribute: "HREF", elementNamespace: svgNamespace }, + { element: "script", attribute: "HREF", elementNamespace: svgNamespace, + attributeNamespace: xlinkNamespace }, + ]; + + for (const testData of nonLowerCaseTests) { + const attributeNamespace = testData.attributeNamespace ?? null; + + test(t => { + assert_element_accepts_non_trusted_type_set_ns(testData.element, testData.attribute, "v", + "v", testData.elementNamespace, attributeNamespace); + }, "Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute \"" + + testData.attribute + "\" (ns=" + attributeNamespace + ") for \"" + testData.element + + "\" element (ns=" + testData.elementNamespace + ")."); + } </script> diff --git a/testing/web-platform/tests/trusted-types/idlharness.tentative.window.js.html b/testing/web-platform/tests/trusted-types/idlharness.window.js index 07847fdb39..07847fdb39 100644 --- a/testing/web-platform/tests/trusted-types/idlharness.tentative.window.js.html +++ b/testing/web-platform/tests/trusted-types/idlharness.window.js diff --git a/testing/web-platform/tests/trusted-types/support/helper.sub.js b/testing/web-platform/tests/trusted-types/support/helper.sub.js index 2d1bd436bd..1775cd985c 100644 --- a/testing/web-platform/tests/trusted-types/support/helper.sub.js +++ b/testing/web-platform/tests/trusted-types/support/helper.sub.js @@ -125,7 +125,7 @@ function assert_element_accepts_non_trusted_type_explicit_set(tag, attribute, va assert_equals(elem.getAttribute(attribute), expected); } -let namespace = 'http://www.w3.org/1999/xhtml'; +let namespace = null; function assert_element_accepts_trusted_html_set_ns(win, c, t, tag, attribute, expected) { let p = createHTML_policy(win, c); let html = p.createHTML(INPUTS.HTML); @@ -158,9 +158,10 @@ function assert_throws_no_trusted_type_set_ns(tag, attribute, value) { }); } -function assert_element_accepts_non_trusted_type_set_ns(tag, attribute, value, expected) { - let elem = document.createElement(tag); - elem.setAttributeNS(namespace, attribute, value); - let attr_node = elem.getAttributeNodeNS(namespace, attribute); +function assert_element_accepts_non_trusted_type_set_ns(tag, attribute, value, expected, + elementNamespace, attributeNamespace) { + let elem = document.createElementNS(elementNamespace, tag); + elem.setAttributeNS(attributeNamespace, attribute, value); + let attr_node = elem.getAttributeNodeNS(attributeNamespace, attribute); assert_equals(attr_node.value + "", expected); } diff --git a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html index 5f7856fabb..a16995ba90 100644 --- a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html +++ b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html @@ -31,7 +31,7 @@ // Navigate to the non-report-only version of the test. That has the same // event listening setup as this, but is a different target URI. const target_script = `location.href='${location.href.replace("-report-only", "") + "#continue"}';`; - const target = `javascript:"<script>${target_script}</scri${""}pt>"`; + const target = `javascript:${target_script}`; // Navigate the anchor, but only after the content is loaded (so that we // won't disturb delivery of that event to the opener. diff --git a/testing/web-platform/tests/trusted-types/support/navigation-support.html b/testing/web-platform/tests/trusted-types/support/navigation-support.html index 5e02e6d4bf..c2c8a82f51 100644 --- a/testing/web-platform/tests/trusted-types/support/navigation-support.html +++ b/testing/web-platform/tests/trusted-types/support/navigation-support.html @@ -32,7 +32,7 @@ // re-use the messageing mechanisms above. In order to not end up in a loop, // we'll only click if we don't find fragment in the current URL. const target_script = `location.href='${location.href}&continue';`; - const target = `javascript:"<script>${target_script}</scri${""}pt>"`; + const target = `javascript:${target_script}`; const anchor = document.getElementById("anchor"); anchor.href = target; diff --git a/testing/web-platform/tests/trusted-types/trusted-types-from-literal.html b/testing/web-platform/tests/trusted-types/trusted-types-from-literal.tentative.html index a7d5659e16..a7d5659e16 100644 --- a/testing/web-platform/tests/trusted-types/trusted-types-from-literal.html +++ b/testing/web-platform/tests/trusted-types/trusted-types-from-literal.tentative.html |