Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-16 10:55:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Implement Trusted Type eval checks (#37834)

Browse source 
It implements the new codeForEvalGets callback to retrieve the
value for a trusted script object. Additionally, it implements
the new logic in can-compile-strings to call the policy
factory if required.

Note that parameter and argument checks aren't implemented yet,
as they require updates to binding generation (see TODO in
script_runtime).

Part of #36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-08-11 14:26:56 +02:00 committed by GitHub
parent 4c05758ded
commit 82ca2b92cd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
26 changed files with 159 additions and 345 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tests/wpt/meta/content-security-policy/reporting/report-clips-sample.https.html.ini vendored
View file

@ -1,10 +1,4 @@
[report-clips-sample.https.html]
[Unsafe eval violation sample is clipped to 40 characters.]
expected: FAIL
[Unsafe indirect eval violation sample is clipped to 40 characters.]
expected: FAIL
[Function constructor - the other kind of eval - is clipped.]
expected: FAIL

18
tests/wpt/meta/trusted-types/DedicatedWorker-block-eval-function-constructor.html.ini vendored
View file

@ -1,18 +0,0 @@
[DedicatedWorker-block-eval-function-constructor.html]
[Blocked eval in DedicatedWorkerGlobalScope.]
expected: FAIL
[Blocked indirect eval in DedicatedWorkerGlobalScope.]
expected: FAIL
[Blocked Function constructor in DedicatedWorkerGlobalScope.]
expected: FAIL
[Blocked AsyncFunction constructor in DedicatedWorkerGlobalScope.]
expected: FAIL
[Blocked GeneratorFunction constructor in DedicatedWorkerGlobalScope.]
expected: FAIL
[Blocked AsyncGeneratorFunction constructor in DedicatedWorkerGlobalScope.]
expected: FAIL

18
tests/wpt/meta/trusted-types/DedicatedWorker-eval.html.ini vendored
View file

@ -1,18 +0,0 @@
[DedicatedWorker-eval.html]
[eval(string) in dedicated worker]
expected: FAIL
[indirect eval(string) in dedicated worker]
expected: FAIL
[eval(TrustedScript) in dedicated worker]
expected: FAIL
[indirect eval(TrustedScript) in dedicated worker]
expected: FAIL
[eval(string) with default policy mutation in dedicated worker]
expected: FAIL
[indirect eval(string) with default policy mutation in dedicated worker]
expected: FAIL

18
tests/wpt/meta/trusted-types/Window-block-eval-function-constructor.html.ini vendored
View file

@ -1,18 +0,0 @@
[Window-block-eval-function-constructor.html]
[Blocked eval in Window.]
expected: FAIL
[Blocked indirect eval in Window.]
expected: FAIL
[Blocked Function constructor in Window.]
expected: FAIL
[Blocked AsyncFunction constructor in Window.]
expected: FAIL
[Blocked GeneratorFunction constructor in Window.]
expected: FAIL
[Blocked AsyncGeneratorFunction constructor in Window.]
expected: FAIL

3
tests/wpt/meta/trusted-types/csp-block-eval.html.ini vendored
View file

@ -1,3 +0,0 @@
[csp-block-eval.html]
[eval with TrustedScript throws (script-src blocks).]
expected: FAIL

6
tests/wpt/meta/trusted-types/eval-csp-no-tt.html.ini vendored
View file

@ -1,6 +0,0 @@
[eval-csp-no-tt.html]
[eval of TrustedScript works.]
expected: FAIL
[indirect eval of TrustedScript works.]
expected: FAIL

18
tests/wpt/meta/trusted-types/eval-csp-tt-default-policy-mutate.html.ini vendored
View file

@ -1,18 +0,0 @@
[eval-csp-tt-default-policy-mutate.html]
[eval of string where default policy mutates value throws.]
expected: FAIL
[indirect eval of string where default policy mutates value throws.]
expected: FAIL
[Function constructor with string where default policy mutates value throws.]
expected: FAIL
[AsyncFunction constructor with string where default policy mutates value throws.]
expected: FAIL
[GeneratorFunction constructor with string where default policy mutates value throws.]
expected: FAIL
[AsyncGeneratorFunction constructor with string where default policy mutates value throws.]
expected: FAIL

6
tests/wpt/meta/trusted-types/eval-csp-tt-default-policy.html.ini vendored
View file

@ -1,6 +0,0 @@
[eval-csp-tt-default-policy.html]
[eval of TrustedScript works.]
expected: FAIL
[indirect eval of TrustedScript works.]
expected: FAIL

27
tests/wpt/meta/trusted-types/eval-csp-tt-no-default-policy.html.ini vendored
View file

@ -1,30 +1,3 @@
[eval-csp-tt-no-default-policy.html]
[eval of TrustedScript works.]
expected: FAIL
[indirect eval of TrustedScript works.]
expected: FAIL
[eval of string fails.]
expected: FAIL
[indirect eval of string fails.]
expected: FAIL
[Function constructor of string fails.]
expected: FAIL
[Function constructor of all strings fails.]
expected: FAIL
[Function constructor of string and TrustedScript fails.]
expected: FAIL
[AsyncFunction constructor of string fails.]
expected: FAIL
[GeneratorFunction constructor of string fails.]
expected: FAIL
[AsyncGeneratorFunction constructor of string fails.]
expected: FAIL

6
tests/wpt/meta/trusted-types/eval-function-constructor-untrusted-arguments-and-applying-default-policy.html.ini vendored
View file

@ -8,9 +8,6 @@
[plain string at index 2 (default policy modifying the function text).]
expected: FAIL
[plain string at index 3 (default policy modifying the function text).]
expected: FAIL
[TrustedScript with forged toString() at index 0 (default policy modifying the function text).]
expected: FAIL
@ -19,6 +16,3 @@
[TrustedScript with forged toString() at index 2 (default policy modifying the function text).]
expected: FAIL
[TrustedScript with forged toString() at index 3 (default policy modifying the function text).]
expected: FAIL

6
tests/wpt/meta/trusted-types/eval-function-constructor-untrusted-arguments-and-default-policy-throwing.html.ini vendored
View file

@ -1,6 +0,0 @@
[eval-function-constructor-untrusted-arguments-and-default-policy-throwing.html]
[EvalError thrown if the callback of the default policy throws an error (eval).]
expected: FAIL
[EvalError thrown if the callback of the default policy throws an error (new Function).]
expected: FAIL

99
tests/wpt/meta/trusted-types/eval-function-constructor.html.ini vendored
View file

@ -1,100 +1,4 @@
[eval-function-constructor.html]
[Function constructor with mixed plain and trusted strings, mask #0]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #0]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #0]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #0]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #1]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #1]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #1]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #1]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #2]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #2]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #2]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #2]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #3]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #3]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #3]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #3]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #4]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #4]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #4]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #4]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #5]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #5]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #5]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #5]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #6]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #6]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #6]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #6]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #7]
expected: FAIL
[AsyncFunction constructor with mixed plain and trusted strings, mask #7]
expected: FAIL
[GeneratorFunction constructor with mixed plain and trusted strings, mask #7]
expected: FAIL
[AsyncGeneratorFunction constructor with mixed plain and trusted strings, mask #7]
expected: FAIL
[Function constructor with mixed plain and trusted strings, mask #8]
expected: FAIL
@ -187,6 +91,3 @@
[Function constructor with trusted strings, and a forged toString() for the one at index 2]
expected: FAIL
[Function constructor with trusted strings, and a forged toString() for the one at index 3]
expected: FAIL

6
tests/wpt/meta/trusted-types/eval-no-csp-no-tt-default-policy.html.ini vendored
View file

@ -1,6 +0,0 @@
[eval-no-csp-no-tt-default-policy.html]
[eval of TrustedScript works.]
expected: FAIL
[indirect eval of TrustedScript works.]
expected: FAIL

6
tests/wpt/meta/trusted-types/eval-no-csp-no-tt.html.ini vendored
View file

@ -1,6 +0,0 @@
[eval-no-csp-no-tt.html]
[eval of TrustedScript works.]
expected: FAIL
[indirect eval of TrustedScript works.]
expected: FAIL

15
tests/wpt/meta/trusted-types/eval-with-permissive-csp.html.ini vendored
View file

@ -1,15 +0,0 @@
[eval-with-permissive-csp.html]
[eval with plain string with Trusted Types and permissive CSP throws (no type).]
expected: FAIL
[indirect eval with plain string with Trusted Types and permissive CSP throws (no type).]
expected: FAIL
[Function constructor with plain string with Trusted Types and permissive CSP throws (no type).]
expected: FAIL
[eval with TrustedScript and permissive CSP works.]
expected: FAIL
[indirect eval with TrustedScript and permissive CSP works.]
expected: FAIL

6
tests/wpt/meta/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.ini vendored
View file

@ -1,6 +0,0 @@
[trusted-types-eval-reporting-no-unsafe-eval.html]
[Trusted Type violation report: evaluating a string violates both script-src and trusted-types.]
expected: FAIL
[Trusted Type violation report: evaluating a Trusted Script violates script-src.]
expected: FAIL

6
tests/wpt/meta/trusted-types/trusted-types-eval-reporting-report-only.html.ini vendored
View file

@ -1,6 +0,0 @@
[trusted-types-eval-reporting-report-only.html]
[Trusted Type violation report: evaluating a string.]
expected: FAIL
[Trusted Type violation report: evaluating a Trusted Script.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-DedicatedWorker-sink-mismatch.html.ini vendored
View file

@ -1,6 +1,3 @@
[trusted-types-reporting-check-report-DedicatedWorker-sink-mismatch.html]
[Test report-uri works with require-trusted-types-for violation.]
expected: FAIL
[Test number of sent reports.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-Window-sink-mismatch.html.ini vendored
View file

@ -1,6 +1,3 @@
[trusted-types-reporting-check-report-Window-sink-mismatch.html]
[Test report-uri works with require-trusted-types-for violation.]
expected: FAIL
[Test number of sent reports.]
expected: FAIL

6
tests/wpt/meta/trusted-types/trusted-types-reporting-for-DedicatedWorker-eval.html.ini vendored
View file

@ -1,6 +0,0 @@
[trusted-types-reporting-for-DedicatedWorker-eval.html]
[No violation reported for eval with TrustedScript.]
expected: FAIL
[Violation report for eval with plain string.]
expected: FAIL

6
tests/wpt/meta/trusted-types/trusted-types-reporting-for-Window-eval.html.ini vendored
View file

@ -1,6 +0,0 @@
[trusted-types-reporting-for-Window-eval.html]
[No violation reported for eval with TrustedScript.]
expected: FAIL
[Violation report for eval with plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/tt-block-eval.html.ini vendored
View file

@ -1,3 +0,0 @@
[tt-block-eval.html]
[eval blocks if the default policy rejects a value.]
expected: FAIL