Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-25 15:18:22 +01:00
Code Issues Projects Releases Packages Wiki Activity

Implement trusted types url setter (#36596)

Browse source 
We now check the sink of script.src for trusted types. This is the first
attribute that we check, other sinks will be implemented in follow-up
changes.

The algorithms currently hardcode various parts. That's because I need
to refactor a couple of algorithms already present in TrustedTypePolicy.
They use callbacks at the moment, which made sense for their initial
use. However, for these new algorithms they don't work. Therefore, I
will align them with the specification by taking in an enum. However,
since that's a bigger refactoring, I left that out of this PR (which is
already quite big).

The other trusted types support (createScript and createHTML) will also
be implemented separately.

Part of #36258

---------

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>
Co-authored-by: Josh Matthews <josh@joshmatthews.net>
This commit is contained in:
Tim van der Lippe 2025-04-21 08:56:40 +02:00 committed by GitHub
parent fee2ea34af
commit 6bb087e381
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 233 additions and 74 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/wpt/meta/content-security-policy/generic/generic-0_1-img-src.html.ini vendored
View file

@ -1,3 +0,0 @@
[generic-0_1-img-src.html]
[Should fire violation events for every failed violation]
expected: FAIL

3
tests/wpt/meta/content-security-policy/generic/generic-0_1-script-src.html.ini vendored
View file

@ -1,3 +0,0 @@
[generic-0_1-script-src.html]
[Should fire violation events for every failed violation]
expected: FAIL

3
tests/wpt/meta/content-security-policy/generic/generic-0_10_1.sub.html.ini vendored
View file

@ -1,3 +0,0 @@
[generic-0_10_1.sub.html]
[Should fire violation events for every failed violation]
expected: FAIL

3
tests/wpt/meta/content-security-policy/generic/generic-0_2_2.sub.html.ini vendored
View file

@ -1,3 +0,0 @@
[generic-0_2_2.sub.html]
[Should fire violation events for every failed violation]
expected: FAIL

3
tests/wpt/meta/content-security-policy/generic/generic-0_2_3.html.ini vendored
View file

@ -1,3 +0,0 @@
[generic-0_2_3.html]
[Should fire violation events for every failed violation]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/script-src-1_10.html.ini vendored
View file

@ -1,3 +0,0 @@
[script-src-1_10.html]
[Test that securitypolicyviolation event is fired]
expected: FAIL

3
tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_different_nonce.html.ini vendored
View file

@ -1,3 +0,0 @@
[script-src-strict_dynamic_double_policy_different_nonce.html]
[Unnonced script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce-only double policy.]
expected: FAIL

3
tests/wpt/meta/content-security-policy/style-src/style-blocked.html.ini vendored
View file

@ -1,6 +1,3 @@
[style-blocked.html]
[Violated directive is script-src-elem.]
expected: FAIL
[document.styleSheets should contain an item for the blocked CSS.]
expected: FAIL

3
tests/wpt/meta/trusted-types/HTMLScriptElement-internal-slot.html.ini vendored
View file

@ -1,6 +1,3 @@
[HTMLScriptElement-internal-slot.html]
[Test TT application when manipulating <script> elements during loading.]
expected: FAIL
[Setting .src to a plain string should throw an exception and not modify the script state, on an unconnected script element.]
expected: FAIL

6
tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html.ini vendored
View file

@ -1,6 +0,0 @@
[TrustedTypePolicyFactory-createPolicy-cspTests-none.html]
[Cannot create policy with name 'SomeName' - policy creation throws]
expected: FAIL
[Cannot create policy with name 'default' - policy creation throws]
expected: FAIL

6
tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html.ini vendored
View file

@ -1,6 +0,0 @@
[TrustedTypePolicyFactory-createPolicy-cspTests.html]
[Non-allowed name policy creation throws.]
expected: FAIL
[Duplicate name policy creation throws.]
expected: FAIL

3
tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini vendored
View file

@ -11,9 +11,6 @@
[`Script.prototype.setAttribute.SrC = string` throws.]
expected: FAIL
[script.src accepts string and null after default policy was created.]
expected: FAIL
[script.src's mutationobservers receive the default policy's value.]
expected: FAIL

3
tests/wpt/meta/trusted-types/block-string-assignment-to-HTMLElement-generic.html.ini vendored
View file

@ -8,9 +8,6 @@
[iframe.srcdoc accepts only TrustedHTML]
expected: FAIL
[script.src accepts string and null after default policy was created]
expected: FAIL
[div.innerHTML accepts string and null after default policy was created]
expected: FAIL

3
tests/wpt/meta/trusted-types/block-string-assignment-to-text-and-url-sinks.html.ini vendored
View file

@ -16,6 +16,3 @@
[Setting HTMLScriptElement.text to a plain string]
expected: FAIL
[Setting HTMLScriptElement.src to a plain string]
expected: FAIL

15
tests/wpt/meta/trusted-types/default-policy.html.ini vendored
View file

@ -12,21 +12,6 @@
[script.text no default policy]
expected: FAIL
[script.src default]
expected: FAIL
[script.src null]
expected: FAIL
[script.src throw]
expected: FAIL
[script.src undefined]
expected: FAIL
[script.src typeerror]
expected: FAIL
[div.innerHTML default]
expected: FAIL

3
tests/wpt/meta/trusted-types/empty-default-policy.html.ini vendored
View file

@ -3,9 +3,6 @@
[Count SecurityPolicyViolation events.]
expected: TIMEOUT
[script.src default]
expected: FAIL
[div.innerHTML default]
expected: FAIL