1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
</head>
<body>
<script>
test(t => {
assert_element_accepts_trusted_html_set_ns(window, '0', t, 'a', 'b', RESULTS.HTML);
}, "Element.setAttributeNS assigned via policy (successful HTML transformation)");
test(t => {
assert_element_accepts_trusted_script_set_ns(window, '1', t, 'a', 'b', RESULTS.SCRIPT);
}, "Element.setAttributeNS assigned via policy (successful Script transformation)");
test(t => {
assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL);
}, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)");
const htmlNamespace = "http://www.w3.org/1999/xhtml";
// Unknown attributes should not be TT checked:
test(t => {
assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string', htmlNamespace, null);
}, "Element.setAttributeNS accepts untrusted string for non-specced accessor");
test(t => {
assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null', htmlNamespace, null);
}, "Element.setAttributeNS accepts null for non-specced accessor");
// Setup trusted values for use in subsequent tests.
const script_url = createScriptURL_policy(window, '5').createScriptURL(INPUTS.ScriptURL);
const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML);
const script = createScript_policy(window, '7').createScript(INPUTS.Script);
const xlinkNamespace = "http://www.w3.org/1999/xlink";
const svgNamespace = "http://www.w3.org/2000/svg";
// svg:script xlink:href=... expects a TrustedScriptURL.
// Assigning a TrustedScriptURL works.
test(t => {
let elem = document.createElementNS(svgNamespace, "script");
elem.setAttributeNS(xlinkNamespace, "href", script_url);
assert_equals("" + RESULTS.ScriptURL,
elem.getAttributeNodeNS(xlinkNamespace, "href").value);
}, "Assigning TrustedScriptURL to <svg:script xlink:href=...> works");
// Assigning things that ought to not work.
test(t => {
let elem = document.createElementNS(svgNamespace, "script");
const values = [ "abc", null, html, script ];
for (const v of values) {
assert_throws_js(TypeError, _ => {
elem.setAttributeNS(xlinkNamespace, "href", v);
});
}
}, "Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works");
// <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>.
const nonLowerCaseTests = [
{ element: "iframe", attribute: "SRCDOC", elementNamespace: htmlNamespace },
{ element: "embed", attribute: "SRC", elementNamespace: htmlNamespace },
{ element: "script", attribute: "SRC", elementNamespace: htmlNamespace },
{ element: "object", attribute: "DATA", elementNamespace: htmlNamespace },
{ element: "object", attribute: "CODEBASE", elementNamespace: htmlNamespace },
{ element: "script", attribute: "HREF", elementNamespace: svgNamespace },
{ element: "script", attribute: "HREF", elementNamespace: svgNamespace,
attributeNamespace: xlinkNamespace },
];
for (const testData of nonLowerCaseTests) {
const attributeNamespace = testData.attributeNamespace ?? null;
test(t => {
assert_element_accepts_non_trusted_type_set_ns(testData.element, testData.attribute, "v",
"v", testData.elementNamespace, attributeNamespace);
}, "Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute \"" +
testData.attribute + "\" (ns=" + attributeNamespace + ") for \"" + testData.element +
"\" element (ns=" + testData.elementNamespace + ").");
}
</script>
|
