diff options
Diffstat (limited to '')
14 files changed, 425 insertions, 0 deletions
diff --git a/testing/web-platform/tests/trusted-types/support/HTMLScriptElement-internal-slot-support.html b/testing/web-platform/tests/trusted-types/support/HTMLScriptElement-internal-slot-support.html new file mode 100644 index 0000000000..b9a0ceefae --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/HTMLScriptElement-internal-slot-support.html @@ -0,0 +1,18 @@ +<html> +<head> +<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'"> +<script> +// Support script. This is meant to trigger deferred parsing. To accomplish this +// we pad the file (with this very comment) to >>200B length, and then load it +// with ...?pipe=tricle(200:d1) to ensure it's being delivered in pieces. +window.parent.postMessage("first script element executed", "*"); +</script> +<script> +window.parent.postMessage("second script element executed", "*"); +</script> +</head> +<body> +Hey! +</body> +</html> + diff --git a/testing/web-platform/tests/trusted-types/support/HTMLScriptElement-internal-slot-support.js b/testing/web-platform/tests/trusted-types/support/HTMLScriptElement-internal-slot-support.js new file mode 100644 index 0000000000..7d574a6a13 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/HTMLScriptElement-internal-slot-support.js @@ -0,0 +1,2 @@ +window.postMessage("script url", "*"); + diff --git a/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-eval.https.js b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-eval.https.js new file mode 100644 index 0000000000..be0a4300e1 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-eval.https.js @@ -0,0 +1,37 @@ +let test_setup_policy = trustedTypes.createPolicy("hurrayanythinggoes", { + createScriptURL: x => x +}); +importScripts(test_setup_policy.createScriptURL("/resources/testharness.js")); + +// Determine worker type (for better logging) +let worker_type = "unknown"; +if (this.DedicatedWorkerGlobalScope !== undefined) { + worker_type = "dedicated worker"; +} else if (this.SharedWorkerGlobalScope !== undefined) { + worker_type = "shared worker"; +} else if (this.ServiceWorkerGlobalScope !== undefined) { + worker_type = "service worker"; +} + +// Test eval(string) +test(t => { + assert_throws_js(EvalError, _ => eval("2")); +}, "eval(string) in " + worker_type); + +// Test eval(TrustedScript) +let test_policy = trustedTypes.createPolicy("xxx", { + createScript: x => x.replace("2", "7") +}); +test(t => { + assert_equals(eval(test_policy.createScript("2")), 7); +}, "eval(TrustedScript) in " + worker_type); + +// Test eval(String) with default policy +trustedTypes.createPolicy("default", { + createScript: x => x.replace("2", "5") +}); +test(t => { + assert_equals(eval("2"), 5); +}, "eval(string) with default policy in " + worker_type); + +done(); diff --git a/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-eval.https.js.headers b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-eval.https.js.headers new file mode 100644 index 0000000000..604e765da4 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-eval.https.js.headers @@ -0,0 +1 @@ +Content-Security-Policy: require-trusted-types-for 'script'; diff --git a/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js new file mode 100644 index 0000000000..c40e8550dd --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js @@ -0,0 +1,84 @@ +let test_setup_policy = trustedTypes.createPolicy("hurrayanythinggoes", { + createScriptURL: x => x +}); +importScripts(test_setup_policy.createScriptURL("/resources/testharness.js")); + +// Determine worker type (for better logging) +let worker_type = "unknown"; +if (this.DedicatedWorkerGlobalScope !== undefined) { + worker_type = "dedicated worker"; +} else if (this.SharedWorkerGlobalScope !== undefined) { + worker_type = "shared worker"; +} else if (this.ServiceWorkerGlobalScope !== undefined) { + worker_type = "service worker"; +} + +let test_policy = trustedTypes.createPolicy("xxx", { + createScriptURL: url => url.replace("play", "work") +}); + +test(t => { + self.result = "Fail"; + let trusted_url = test_policy.createScriptURL("player.js"); + assert_true(this.trustedTypes.isScriptURL(trusted_url)); + importScripts(trusted_url); // worker.js modifies self.result. + assert_equals(self.result, "Pass"); +}, "importScripts with TrustedScriptURL works in " + worker_type); + +test(t => { + let untrusted_url = "player.js"; + assert_throws_js(TypeError, + function() { importScripts(untrusted_url) }, + "importScripts(untrusted_url)"); +}, "importScripts with untrusted URLs throws in " + worker_type); + +test(t => { + assert_throws_js(TypeError, + function() { importScripts(null) }, + "importScripts(null)"); +}, "null is not a trusted script URL throws in " + worker_type); + +test(t => { + self.result = "Fail"; + let trusted_url = test_policy.createScriptURL("player.js?variant1"); + let trusted_url2 = test_policy.createScriptURL("player.js?variant2"); + importScripts(trusted_url, trusted_url2); + assert_equals(self.result, "Pass"); +}, "importScripts with two URLs, both trusted, in " + worker_type); + +test(t => { + let untrusted_url = "player.js?variant1"; + let untrusted_url2 = "player.js?variant2"; + assert_throws_js(TypeError, + function() { importScripts(untrusted_url, untrusted_url2) }, + "importScripts(untrusted_url, untrusted_url2)"); +}, "importScripts with two URLs, both strings, in " + worker_type); + +test(t => { + let untrusted_url = "player.js"; + let trusted_url = test_policy.createScriptURL(untrusted_url); + assert_throws_js(TypeError, + function() { importScripts(untrusted_url, trusted_url) }, + "importScripts(untrusted_url, trusted_url)"); +}, "importScripts with two URLs, one trusted, in " + worker_type); + +// Test default policy application: +trustedTypes.createPolicy("default", { + createScriptURL: url => url.replace("play", "work") +}, true); +test(t => { + self.result = "Fail"; + let untrusted_url = "player.js"; + importScripts(untrusted_url); + assert_equals(self.result, "Pass"); +}, "importScripts with untrusted URLs and default policy works in " + worker_type); + +test(t => { + self.result = "Fail"; + let untrusted_url = "player.js"; + let trusted_url = test_policy.createScriptURL(untrusted_url); + importScripts(untrusted_url, trusted_url); + assert_equals(self.result, "Pass"); +}, "importScripts with one trusted and one untrusted URLs and default policy works in " + worker_type); + +done(); diff --git a/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers new file mode 100644 index 0000000000..604e765da4 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers @@ -0,0 +1 @@ +Content-Security-Policy: require-trusted-types-for 'script'; diff --git a/testing/web-platform/tests/trusted-types/support/frame-without-trusted-types.html b/testing/web-platform/tests/trusted-types/support/frame-without-trusted-types.html new file mode 100644 index 0000000000..25cf073e79 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/frame-without-trusted-types.html @@ -0,0 +1,6 @@ +<!DOCTYPE html> +<head> +</head> +<body> +</body> +</html> diff --git a/testing/web-platform/tests/trusted-types/support/helper.sub.js b/testing/web-platform/tests/trusted-types/support/helper.sub.js new file mode 100644 index 0000000000..2d1bd436bd --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/helper.sub.js @@ -0,0 +1,166 @@ +const INPUTS = { + HTML: "Hi, I want to be transformed!", + SCRIPT: "Hi, I want to be transformed!", + SCRIPTURL: "http://this.is.a.scripturl.test/", +}; + +const RESULTS = { + HTML: "Quack, I want to be a duck!", + SCRIPT: "Meow, I want to be a cat!", + SCRIPTURL: "http://this.is.a.successful.test/", +}; + +function createHTMLJS(html) { + return html.replace("Hi", "Quack") + .replace("transformed", "a duck"); +} + +function createScriptJS(script) { + return script.replace("Hi", "Meow") + .replace("transformed", "a cat"); +} + +function createScriptURLJS(scripturl) { + return scripturl.replace("scripturl", "successful"); +} + +function createHTMLJSWithThreeArguments(html0, html1, html2) { + return html0 + html1 + html2; +} + +function createScriptJSWithThreeArguments(script0, script1, script2) { + return script0 + script1 + script2; +} + +function createScriptURLJSWithThreeArguments(scripturl0, scripturl1, scripturl2) { + return scripturl0 + scripturl1 + scripturl2; +} + +function createHTML_policy(win, c) { + return win.trustedTypes.createPolicy('SomeHTMLPolicyName' + c, { createHTML: createHTMLJS }); +} + +function createScript_policy(win, c) { + return win.trustedTypes.createPolicy('SomeScriptPolicyName' + c, { createScript: createScriptJS }); +} + +function createScriptURL_policy(win, c) { + return win.trustedTypes.createPolicy('SomeScriptURLPolicyName' + c, { createScriptURL: createScriptURLJS }); +} + +function assert_element_accepts_trusted_html(win, c, t, tag, attribute, expected) { + let p = createHTML_policy(win, c); + let html = p.createHTML(INPUTS.HTML); + assert_element_accepts_trusted_type(tag, attribute, html, expected); +} + +function assert_element_accepts_trusted_script(win, c, t, tag, attribute, expected) { + let p = createScript_policy(win, c); + let script = p.createScript(INPUTS.SCRIPT); + assert_element_accepts_trusted_type(tag, attribute, script, expected); +} + +function assert_element_accepts_trusted_script_url(win, c, t, tag, attribute, expected) { + let p = createScriptURL_policy(win, c); + let scripturl = p.createScriptURL(INPUTS.SCRIPTURL); + assert_element_accepts_trusted_type(tag, attribute, scripturl, expected); +} + +function assert_element_accepts_trusted_type(tag, attribute, value, expected) { + let elem = document.createElement(tag); + elem[attribute] = value; + assert_equals(elem[attribute] + "", expected); +} + +function assert_throws_no_trusted_type(tag, attribute, value) { + let elem = document.createElement(tag); + let prev = elem[attribute]; + assert_throws_js(TypeError, _ => { + elem[attribute] = value; + }); + assert_equals(elem[attribute], prev); +} + +function assert_element_accepts_trusted_html_explicit_set(win, c, t, tag, attribute, expected) { + let p = createHTML_policy(win, c); + let html = p.createHTML(INPUTS.HTML); + assert_element_accepts_trusted_type_explicit_set(tag, attribute, html, expected); +} + +function assert_element_accepts_trusted_script_explicit_set(win, c, t, tag, attribute, expected) { + let p = createScript_policy(win, c); + let script = p.createScript(INPUTS.SCRIPT); + assert_element_accepts_trusted_type_explicit_set(tag, attribute, script, expected); +} + +function assert_element_accepts_trusted_script_url_explicit_set(win, c, t, tag, attribute, expected) { + let p = createScriptURL_policy(win, c); + let scripturl = p.createScriptURL(INPUTS.SCRIPTURL); + assert_element_accepts_trusted_type_explicit_set(tag, attribute, scripturl, expected); +} + +function assert_element_accepts_trusted_type_explicit_set(tag, attribute, value, expected) { + let elem = document.createElement(tag); + elem.setAttribute(attribute, value); + if (!/^on/.test(attribute)) { // "on" attributes are converted to functions. + assert_equals(elem[attribute] + "", expected); + } + assert_equals(elem.getAttribute(attribute), expected); +} + +function assert_throws_no_trusted_type_explicit_set(tag, attribute, value) { + let elem = document.createElement(tag); + let prev = elem[attribute]; + assert_throws_js(TypeError, _ => { + elem.setAttribute(attribute, value); + }); + assert_equals(elem[attribute], prev); + assert_equals(elem.getAttribute(attribute), null); +} + +function assert_element_accepts_non_trusted_type_explicit_set(tag, attribute, value, expected) { + let elem = document.createElement(tag); + elem.setAttribute(attribute, value); + assert_equals(elem[attribute] + "", expected); + assert_equals(elem.getAttribute(attribute), expected); +} + +let namespace = 'http://www.w3.org/1999/xhtml'; +function assert_element_accepts_trusted_html_set_ns(win, c, t, tag, attribute, expected) { + let p = createHTML_policy(win, c); + let html = p.createHTML(INPUTS.HTML); + assert_element_accepts_trusted_type_set_ns(tag, attribute, html, expected); +} + +function assert_element_accepts_trusted_script_set_ns(win, c, t, tag, attribute, expected) { + let p = createScript_policy(win, c); + let script = p.createScript(INPUTS.SCRIPT); + assert_element_accepts_trusted_type_set_ns(tag, attribute, script, expected); +} + +function assert_element_accepts_trusted_script_url_set_ns(win, c, t, tag, attribute, expected) { + let p = createScriptURL_policy(win, c); + let scripturl = p.createScriptURL(INPUTS.SCRIPTURL); + assert_element_accepts_trusted_type_set_ns(tag, attribute, scripturl, expected); +} + +function assert_element_accepts_trusted_type_set_ns(tag, attribute, value, expected) { + let elem = document.createElement(tag); + elem.setAttributeNS(namespace, attribute, value); + let attr_node = elem.getAttributeNodeNS(namespace, attribute); + assert_equals(attr_node.value + "", expected); +} + +function assert_throws_no_trusted_type_set_ns(tag, attribute, value) { + let elem = document.createElement(tag); + assert_throws_js(TypeError, _ => { + elem.setAttributeNS(namespace, attribute, value); + }); +} + +function assert_element_accepts_non_trusted_type_set_ns(tag, attribute, value, expected) { + let elem = document.createElement(tag); + elem.setAttributeNS(namespace, attribute, value); + let attr_node = elem.getAttributeNodeNS(namespace, attribute); + assert_equals(attr_node.value + "", expected); +} diff --git a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html new file mode 100644 index 0000000000..5f7856fabb --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html @@ -0,0 +1,53 @@ +<!DOCTYPE html> +<head> +</head> +<body> +<p>Support page for trusted-types-navigation-report-only.*.html tests.</p> +<a id="anchor" href="#">link</a> +<script> + const params = new URLSearchParams(location.search); + if (!!params.get("defaultpolicy")) { + trustedTypes.createPolicy("default", { + createScript: s => s.replace("continue", "defaultpolicywashere"), + }); + } + + function bounceEventToOpener(e) { + const msg = {}; + for (const field of ["effectiveDirective", "sample", "type"]) { + msg[field] = e[field]; + } + msg["uri"] = location.href; + window.opener.postMessage(msg, "*"); + } + + // If a navigation is blocked by Trusted Types, we expect this window to + // throw a SecurityPolicyViolationEvent. If it's not blocked, we expect the + // loaded frame to through DOMContentLoaded. In either case there should be + // _some_ event that we can expect. + document.addEventListener("DOMContentLoaded", bounceEventToOpener); + document.addEventListener("securitypolicyviolation", bounceEventToOpener); + + // Navigate to the non-report-only version of the test. That has the same + // event listening setup as this, but is a different target URI. + const target_script = `location.href='${location.href.replace("-report-only", "") + "#continue"}';`; + const target = `javascript:"<script>${target_script}</scri${""}pt>"`; + + // Navigate the anchor, but only after the content is loaded (so that we + // won't disturb delivery of that event to the opener. + const anchor = document.getElementById("anchor"); + anchor.href = target; + + if (!!params.get("frame")) { + const frame = document.createElement("iframe"); + frame.src = "frame-without-trusted-types.html"; + frames.name = "frame"; + document.body.appendChild(frame); + anchor.target = "frame"; + } + + if (!location.hash) { + document.addEventListener("DOMContentLoaded", _ => anchor.click()); + } +</script> +</body> diff --git a/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html.headers b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html.headers new file mode 100644 index 0000000000..4c1ff15e16 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/navigation-report-only-support.html.headers @@ -0,0 +1 @@ +Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; diff --git a/testing/web-platform/tests/trusted-types/support/navigation-support.html b/testing/web-platform/tests/trusted-types/support/navigation-support.html new file mode 100644 index 0000000000..5e02e6d4bf --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/navigation-support.html @@ -0,0 +1,51 @@ +<!DOCTYPE html> +<head> +</head> +<body> +<p>Support page for trusted-types-navigation.*.html tests.</p> +<a id="anchor" href="#">link</a> +<script> + const params = new URLSearchParams(location.search); + if (!!params.get("defaultpolicy")) { + trustedTypes.createPolicy("default", { + createScript: s => s.replace("continue", "defaultpolicywashere"), + }); + } + + function bounceEventToOpener(e) { + const msg = {}; + for (const field of ["effectiveDirective", "sample", "type"]) { + msg[field] = e[field]; + } + msg["uri"] = location.href; + window.opener.postMessage(msg, "*"); + } + + // If a navigation is blocked by Trusted Types, we expect this window to + // throw a SecurityPolicyViolationEvent. If it's not blocked, we expect the + // loaded frame to through DOMContentLoaded. In either case there should be + // _some_ event that we can expect. + document.addEventListener("DOMContentLoaded", bounceEventToOpener); + document.addEventListener("securitypolicyviolation", bounceEventToOpener); + + // We'll use a javascript:-url to navigate to ourselves, so that we can + // re-use the messageing mechanisms above. In order to not end up in a loop, + // we'll only click if we don't find fragment in the current URL. + const target_script = `location.href='${location.href}&continue';`; + const target = `javascript:"<script>${target_script}</scri${""}pt>"`; + + const anchor = document.getElementById("anchor"); + anchor.href = target; + + if (!!params.get("frame")) { + const frame = document.createElement("iframe"); + frame.src = "frame-without-trusted-types.html"; + frames.name = "frame"; + document.body.appendChild(frame); + anchor.target = "frame"; + } + + if (!location.hash) + document.addEventListener("DOMContentLoaded", _ => anchor.click()); +</script> +</body> diff --git a/testing/web-platform/tests/trusted-types/support/navigation-support.html.headers b/testing/web-platform/tests/trusted-types/support/navigation-support.html.headers new file mode 100644 index 0000000000..604e765da4 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/navigation-support.html.headers @@ -0,0 +1 @@ +Content-Security-Policy: require-trusted-types-for 'script'; diff --git a/testing/web-platform/tests/trusted-types/support/set-inner-html.js b/testing/web-platform/tests/trusted-types/support/set-inner-html.js new file mode 100644 index 0000000000..45053d43e3 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/set-inner-html.js @@ -0,0 +1,3 @@ +function setInnerHtml(element, value) { + element.innerHTML = value; +} diff --git a/testing/web-platform/tests/trusted-types/support/worker.js b/testing/web-platform/tests/trusted-types/support/worker.js new file mode 100644 index 0000000000..4079f7e9c7 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/support/worker.js @@ -0,0 +1 @@ +self.result = "Pass"; |