Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-15 10:25:32 +01:00
Code Issues Projects Releases Packages Wiki Activity

Implement all trusted sinks in HTMLScriptElement (#36668)

Browse source 
As a follow-up to the recent introduction of `script.src`
as trusted sink, this PR refactors machinery to also
support `TrustedScript`. In doing so, all trusted sinks
in `HTMLScriptElement` are now covered.

Instead of calling the callbacks in `policy.createX`,
we now have a `TrustedType` enum that specifies which callback
to invoke. Unfortunately we still have the `USVString` vs
`DOMString` problem, which is why we need to `.map` twice
to retrieve the backing `String` and avoid two different
types.

Additionally, I saw that `script.text` should have called
the "String replace all" algorithm rather than setting the
child contents. So that's also now fixed.

Part of #36258
Requires servo/html5ever#608

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-03 10:35:46 +02:00 committed by GitHub
parent dd63325f50
commit 4164f76769
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 320 additions and 353 deletions
Download patch file Download diff file Expand all files Collapse all files

60
tests/wpt/meta/trusted-types/HTMLElement-generic.html.ini vendored
View file

@ -1,10 +1,4 @@
[HTMLElement-generic.html]
[TT enabled: script.src\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: script.src\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n connected element\n ]
expected: FAIL
@ -17,30 +11,6 @@
[TT enabled: iframe.srcdoc\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: script.text\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: script.text\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: script.innerText\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: script.innerText\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: script.textContent\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: script.textContent\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: script.src\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.src\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
@ -52,33 +22,3 @@
[TT enabled: iframe.srcdoc\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.text\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.text\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.innerText\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.innerText\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.textContent\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.textContent\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.src\n = TrustedScript on a\n connected element\n ]
expected: FAIL
[TT enabled: script.src\n = TrustedScript on a\n non-connected element\n ]
expected: FAIL
[TT enabled: script.src\n = TrustedScript on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: script.src\n = TrustedScript on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL

12
tests/wpt/meta/trusted-types/block-string-assignment-to-HTMLElement-generic.html.ini vendored
View file

@ -1,7 +1,4 @@
[block-string-assignment-to-HTMLElement-generic.html]
[script.src accepts only TrustedScriptURL]
expected: FAIL
[div.innerHTML accepts only TrustedHTML]
expected: FAIL
@ -13,12 +10,3 @@
[iframe.srcdoc accepts string and null after default policy was created]
expected: FAIL
[script.text accepts only TrustedScript]
expected: FAIL
[script.innerText accepts only TrustedScript]
expected: FAIL
[script.textContent accepts only TrustedScript]
expected: FAIL

9
tests/wpt/meta/trusted-types/block-string-assignment-to-text-and-url-sinks.html.ini vendored
View file

@ -7,12 +7,3 @@
[Setting SVGScriptElement.innerHTML to a plain string]
expected: FAIL
[Setting HTMLScriptElement.innerText to a plain string]
expected: FAIL
[Setting HTMLScriptElement.textContent to a plain string]
expected: FAIL
[Setting HTMLScriptElement.text to a plain string]
expected: FAIL

21
tests/wpt/meta/trusted-types/default-policy.html.ini vendored
View file

@ -3,15 +3,9 @@
[Count SecurityPolicyViolation events.]
expected: TIMEOUT
[script.src no default policy]
expected: FAIL
[div.innerHTML no default policy]
expected: FAIL
[script.text no default policy]
expected: FAIL
[div.innerHTML default]
expected: FAIL
@ -26,18 +20,3 @@
[div.innerHTML typeerror]
expected: FAIL
[script.text default]
expected: FAIL
[script.text null]
expected: FAIL
[script.text throw]
expected: FAIL
[script.text undefined]
expected: FAIL
[script.text typeerror]
expected: FAIL

3
tests/wpt/meta/trusted-types/empty-default-policy.html.ini vendored
View file

@ -5,6 +5,3 @@
[div.innerHTML default]
expected: FAIL
[script.text default]
expected: FAIL

6
tests/wpt/meta/trusted-types/require-trusted-types-for-report-only.html.ini vendored
View file

@ -1,9 +1,3 @@
[require-trusted-types-for-report-only.html]
[Require trusted types for 'script' block create HTML.]
expected: FAIL
[Require trusted types for 'script' block create script.]
expected: FAIL
[Require trusted types for 'script' block create script URL.]
expected: FAIL

6
tests/wpt/meta/trusted-types/require-trusted-types-for.html.ini vendored
View file

@ -1,9 +1,3 @@
[require-trusted-types-for.html]
[Require trusted types for 'script' block create HTML.]
expected: FAIL
[Require trusted types for 'script' block create script.]
expected: FAIL
[Require trusted types for 'script' block create script URL.]
expected: FAIL

12
tests/wpt/meta/trusted-types/trusted-types-createHTMLDocument.html.ini vendored
View file

@ -1,25 +1,13 @@
[trusted-types-createHTMLDocument.html]
[Trusted Type assignment is blocked. (document)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (document)]
expected: FAIL
[Trusted Type assignment is blocked. (createHTMLDocument)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (createHTMLDocument)]
expected: FAIL
[Trusted Type assignment is blocked. (DOMParser)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (DOMParser)]
expected: FAIL
[Trusted Type assignment is blocked. (XHR)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (XHR)]
expected: FAIL

9
tests/wpt/meta/trusted-types/trusted-types-report-only.html.ini vendored
View file

@ -1,15 +1,6 @@
[trusted-types-report-only.html]
[Trusted Type violation report-only: assign string to script url]
expected: FAIL
[Trusted Type violation report-only: assign string to html]
expected: FAIL
[Trusted Type violation report-only: assign string to script.src]
expected: FAIL
[Trusted Type violation report-only: assign string to script content]
expected: FAIL
[Trusted Type violation report: check report contents]
expected: FAIL

12
tests/wpt/meta/trusted-types/trusted-types-reporting-for-HTMLScriptElement.html.ini vendored
View file

@ -1,12 +0,0 @@
[trusted-types-reporting-for-HTMLScriptElement.html]
[Violation report for plain string (innerText)]
expected: FAIL
[Violation report for plain string (textContent)]
expected: FAIL
[Violation report for plain string (src)]
expected: FAIL
[Violation report for plain string (text)]
expected: FAIL