Implement trusted types for setAttribute (#38700)

Callers now call `set_attribute` directly, to avoid the trusted types machinery, as well as skip validation. That's not required by spec as well. This implements part of the DOM integration from https://github.com/whatwg/dom/pull/1268 Part of #36258 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-09-29 16:19:14 +01:00 · 2025-08-15 21:18:19 +02:00 · 2025-08-15 21:18:19 +02:00 · 18e05d3aab
commit 18e05d3aab
parent 8290761066
18 changed files with 217 additions and 240 deletions
--- a/tests/wpt/meta/trusted-types/Element-setAttribute-setAttributeNS-sinks.tentative.html.ini
+++ b/tests/wpt/meta/trusted-types/Element-setAttribute-setAttributeNS-sinks.tentative.html.ini
@ -1,21 +0,0 @@
-[Element-setAttribute-setAttributeNS-sinks.tentative.html]
-  [HTMLIFrameElement.setAttribute('srcdoc', plain_string)]
-    expected: FAIL
-
-  [HTMLIFrameElement.setAttributeNS(null, 'srcdoc', plain_string)]
-    expected: FAIL
-
-  [HTMLScriptElement.setAttribute('src', plain_string)]
-    expected: FAIL
-
-  [HTMLScriptElement.setAttributeNS(null, 'src', plain_string)]
-    expected: FAIL
-
-  [SVGScriptElement.setAttribute('href', plain_string)]
-    expected: FAIL
-
-  [SVGScriptElement.setAttributeNS(null, 'href', plain_string)]
-    expected: FAIL
-
-  [SVGScriptElement.setAttributeNS(NSURI_XLINK, 'href', plain_string)]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini
+++ b/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini
@ -1,22 +1,7 @@
 [block-string-assignment-to-Element-setAttribute.html]
-  [script.src accepts only TrustedScriptURL]
-    expected: FAIL
-
-  [iframe.srcdoc accepts only TrustedHTML]
-    expected: FAIL
-
  [div.onclick accepts only TrustedScript]
    expected: FAIL

-  [`Script.prototype.setAttribute.SrC = string` throws.]
-    expected: FAIL
-
-  [script.src's mutationobservers receive the default policy's value.]
-    expected: FAIL
-
-  [iframe.srcdoc's mutationobservers receive the default policy's value.]
-    expected: FAIL
-
  [div.onclick's mutationobservers receive the default policy's value.]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttributeNS.html.ini
+++ b/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttributeNS.html.ini
@ -1,3 +0,0 @@
-[block-string-assignment-to-Element-setAttributeNS.html]
-  [Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini
+++ b/tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini
@ -8,15 +8,6 @@
  [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete other attribute before)]
    expected: FAIL

-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href (delete other attribute before)]
-    expected: FAIL
-
  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)]
    expected: FAIL

@ -26,18 +17,6 @@
  [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete other attribute before)]
    expected: FAIL

-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (delete other attribute before)]
-    expected: FAIL
-
  [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)]
    expected: FAIL

@ -194,15 +173,6 @@
  [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete attribute)]
    expected: FAIL

-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href (delete attribute)]
-    expected: FAIL
-
  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)]
    expected: FAIL

@ -212,18 +182,6 @@
  [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete attribute)]
    expected: FAIL

-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (delete attribute)]
-    expected: FAIL
-
  [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)]
    expected: FAIL

@ -380,15 +338,6 @@
  [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (modify attribute)]
    expected: FAIL

-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href (modify attribute)]
-    expected: FAIL
-
  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)]
    expected: FAIL

@ -398,18 +347,6 @@
  [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (modify attribute)]
    expected: FAIL

-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (modify attribute)]
-    expected: FAIL
-
  [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini
+++ b/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini
@ -8,15 +8,6 @@
  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown]
    expected: FAIL

-  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc]
-    expected: FAIL
-
-  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src]
-    expected: FAIL
-
-  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href]
-    expected: FAIL
-
  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick]
    expected: FAIL

@ -26,18 +17,6 @@
  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown]
    expected: FAIL

-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME, attrName=srcdoc]
-    expected: FAIL
-
-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT, attrName=src]
-    expected: FAIL
-
-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/2000/svg, element=script, attrName=href]
-    expected: FAIL
-
-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href]
-    expected: FAIL
-
  [Element.setAttributeNode applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini
+++ b/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini
@ -8,15 +8,6 @@
  [Element.setAttribute throws for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow,  attrName=onmousedown with a plain string]
    expected: FAIL

-  [Element.setAttribute throws for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME,  attrName=srcdoc with a plain string]
-    expected: FAIL
-
-  [Element.setAttribute throws for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT,  attrName=src with a plain string]
-    expected: FAIL
-
-  [Element.setAttribute throws for elementNS=http://www.w3.org/2000/svg, element=script,  attrName=href with a plain string]
-    expected: FAIL
-
  [Element.setAttributeNS throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV,  attrName=onclick with a plain string]
    expected: FAIL

@ -26,18 +17,6 @@
  [Element.setAttributeNS throws for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow,  attrName=onmousedown with a plain string]
    expected: FAIL

-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/1999/xhtml, element=IFRAME,  attrName=srcdoc with a plain string]
-    expected: FAIL
-
-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/1999/xhtml, element=SCRIPT,  attrName=src with a plain string]
-    expected: FAIL
-
-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/2000/svg, element=script,  attrName=href with a plain string]
-    expected: FAIL
-
-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink,  attrName=href with a plain string]
-    expected: FAIL
-
  [Element.setAttributeNode throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV,  attrName=onclick with a plain string]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini
@ -1,27 +1,6 @@
 [trusted-types-reporting-for-Element-setAttribute.html]
-  [Violation report for HTMLIFrameElement.setAttribute('srcdoc', plain_string)]
-    expected: FAIL
-
-  [Violation report for HTMLIFrameElement.setAttributeNS(null, 'srcdoc', plain_string)]
-    expected: FAIL
-
  [Violation report for Element.setAttribute('onclick', plain_string)]
    expected: FAIL

  [Violation report for Element.setAttributeNS(null, 'onclick', plain_string)]
    expected: FAIL
-
-  [Violation report for HTMLScriptElement.setAttribute('src', plain_string)]
-    expected: FAIL
-
-  [Violation report for HTMLScriptElement.setAttributeNS(null, 'src', plain_string)]
-    expected: FAIL
-
-  [Violation report for SVGScriptElement.setAttribute('href', plain_string)]
-    expected: FAIL
-
-  [Violation report for SVGScriptElement.setAttributeNS(null, 'href', plain_string)]
-    expected: FAIL
-
-  [Violation report for SVGScriptElement.setAttributeNS(http://www.w3.org/1999/xlink, 'href', plain_string)]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-svg-script-set-href.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-svg-script-set-href.html.ini
@ -5,15 +5,9 @@
  [Assign TrustedScriptURL to SVGScriptElement.href.baseVal.]
    expected: FAIL

-  [Assign string to non-attached SVGScriptElement.href via setAttribute.]
-    expected: FAIL
-
  [Assign TrustedScriptURL to non-attached SVGScriptElement.href via setAttribute.]
    expected: FAIL

-  [Assign string to attached SVGScriptElement.href via setAttribute.]
-    expected: FAIL
-
  [Assign TrustedScriptURL to attached SVGScriptElement.href via setAttribute.]
    expected: FAIL