From a31235e52baa261ebe8133258ea0e681997026ea Mon Sep 17 00:00:00 2001 From: Tim van der Lippe Date: Sun, 17 Aug 2025 21:44:22 +0200 Subject: [PATCH] Add trusted type checks for global event handler attributes (#38718) This only covers the global event handlers for now, while I figure out which others we are missing. We don't seem to be missing the WindowEventHandlers, but not sure where the others coming from. Part of #36258 Signed-off-by: Tim van der Lippe --- components/script/dom/eventtarget.rs | 97 +++++++ .../script/dom/trustedtypepolicyfactory.rs | 15 +- .../GlobalEventHandlers-onclick.html.ini | 6 - ...ypePolicyFactory-getAttributeType.html.ini | 9 - ...Factory-getPropertyType.tentative.html.ini | 9 - ...ssignment-to-Element-setAttribute.html.ini | 9 - ...s-mutations-in-callback.tentative.html.ini | 54 ---- ...uire-trusted-types-default-policy.html.ini | 18 -- ...e-trusted-types-no-default-policy.html.ini | 18 -- .../trusted-types-event-handlers.html.ini | 270 ------------------ ...eporting-for-Element-setAttribute.html.ini | 6 - 11 files changed, 110 insertions(+), 401 deletions(-) delete mode 100644 tests/wpt/meta/trusted-types/GlobalEventHandlers-onclick.html.ini delete mode 100644 tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getAttributeType.html.ini delete mode 100644 tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.html.ini delete mode 100644 tests/wpt/meta/trusted-types/trusted-types-event-handlers.html.ini delete mode 100644 tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini diff --git a/components/script/dom/eventtarget.rs b/components/script/dom/eventtarget.rs index 55e10e69a4c..0f318b3a56e 100644 --- a/components/script/dom/eventtarget.rs +++ b/components/script/dom/eventtarget.rs @@ -68,6 +68,98 @@ use crate::dom::workerglobalscope::WorkerGlobalScope; use crate::realms::{InRealm, enter_realm}; use crate::script_runtime::CanGc; +/// +/// containing the values from +/// +static CONTENT_EVENT_HANDLER_NAMES: [&str; 83] = [ + "onabort", + "onauxclick", + "onbeforeinput", + "onbeforematch", + "onbeforetoggle", + "onblur", + "oncancel", + "oncanplay", + "oncanplaythrough", + "onchange", + "onclick", + "onclose", + "oncommand", + "oncontextlost", + "oncontextmenu", + "oncontextrestored", + "oncopy", + "oncuechange", + "oncut", + "ondblclick", + "ondrag", + "ondragend", + "ondragenter", + "ondragleave", + "ondragover", + "ondragstart", + "ondrop", + "ondurationchange", + "onemptied", + "onended", + "onerror", + "onfocus", + "onformdata", + "oninput", + "oninvalid", + "onkeydown", + "onkeypress", + "onkeyup", + "onload", + "onloadeddata", + "onloadedmetadata", + "onloadstart", + "onmousedown", + "onmouseenter", + "onmouseleave", + "onmousemove", + "onmouseout", + "onmouseover", + "onmouseup", + "onpaste", + "onpause", + "onplay", + "onplaying", + "onprogress", + "onratechange", + "onreset", + "onresize", + "onscroll", + "onscrollend", + "onsecuritypolicyviolation", + "onseeked", + "onseeking", + "onselect", + "onslotchange", + "onstalled", + "onsubmit", + "onsuspend", + "ontimeupdate", + "ontoggle", + "onvolumechange", + "onwaiting", + "onwebkitanimationend", + "onwebkitanimationiteration", + "onwebkitanimationstart", + "onwebkittransitionend", + "onwheel", + // https://drafts.csswg.org/css-animations/#interface-globaleventhandlers-idl + "onanimationend", + "onanimationiteration", + // https://drafts.csswg.org/css-transitions/#interface-globaleventhandlers-idl + "ontransitionrun", + "ontransitionend", + "ontransitioncancel", + // https://w3c.github.io/selection-api/#extensions-to-globaleventhandlers-interface + "onselectstart", + "onselectionchange", +]; + #[derive(Clone, JSTraceable, MallocSizeOf, PartialEq)] #[allow(clippy::enum_variant_names)] pub(crate) enum CommonEventHandler { @@ -956,6 +1048,11 @@ impl EventTarget { ); } } + + /// + pub(crate) fn is_content_event_handler(name: &str) -> bool { + CONTENT_EVENT_HANDLER_NAMES.contains(&name) + } } impl EventTargetMethods for EventTarget { diff --git a/components/script/dom/trustedtypepolicyfactory.rs b/components/script/dom/trustedtypepolicyfactory.rs index 25de518a9d9..46c90f799a9 100644 --- a/components/script/dom/trustedtypepolicyfactory.rs +++ b/components/script/dom/trustedtypepolicyfactory.rs @@ -20,6 +20,7 @@ use crate::dom::bindings::reflector::{DomGlobal, Reflector, reflect_dom_object}; use crate::dom::bindings::root::{DomRoot, MutNullableDom}; use crate::dom::bindings::str::DOMString; use crate::dom::csp::CspReporting; +use crate::dom::eventtarget::EventTarget; use crate::dom::globalscope::GlobalScope; use crate::dom::trustedhtml::TrustedHTML; use crate::dom::trustedscript::TrustedScript; @@ -120,8 +121,18 @@ impl TrustedTypePolicyFactory { // Step 1: Let data be null. // // We return the if directly - // Step 2: If attributeNs is null, and attribute is the name of an event handler content attribute, then: - // TODO(36258): look up event handlers + // Step 2: If attributeNs is null, « HTML namespace, SVG namespace, MathML namespace » contains + // element’s namespace, and attribute is the name of an event handler content attribute: + if attribute_namespace.is_none() && + matches!(*element_namespace, ns!(html) | ns!(svg) | ns!(mathml)) && + EventTarget::is_content_event_handler(attribute) + { + // Step 2.1. Return (Element, null, attribute, TrustedScript, "Element " + attribute). + return Some(( + TrustedType::TrustedScript, + "Element ".to_owned() + attribute, + )); + } // Step 3: Find the row in the following table, where element is in the first column, // attributeNs is in the second column, and attribute is in the third column. // If a matching row is found, set data to that row. diff --git a/tests/wpt/meta/trusted-types/GlobalEventHandlers-onclick.html.ini b/tests/wpt/meta/trusted-types/GlobalEventHandlers-onclick.html.ini deleted file mode 100644 index 3d8e44fa31b..00000000000 --- a/tests/wpt/meta/trusted-types/GlobalEventHandlers-onclick.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[GlobalEventHandlers-onclick.html] - [a.setAttribute('onclick') sets an unsuitable trusted type.] - expected: FAIL - - [a.setAttribute('click') sets a test string.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getAttributeType.html.ini b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getAttributeType.html.ini deleted file mode 100644 index e442d6b4a42..00000000000 --- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getAttributeType.html.ini +++ /dev/null @@ -1,9 +0,0 @@ -[TrustedTypePolicyFactory-getAttributeType.html] - [getAttributeType(\n "DIV",\n "onclick",\n "http://www.w3.org/1999/xhtml",\n "null") == "TrustedScript"] - expected: FAIL - - [getAttributeType(\n "g",\n "ondblclick",\n "http://www.w3.org/2000/svg",\n "null") == "TrustedScript"] - expected: FAIL - - [getAttributeType(\n "mrow",\n "onmousedown",\n "http://www.w3.org/1998/Math/MathML",\n "null") == "TrustedScript"] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.html.ini b/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.html.ini deleted file mode 100644 index 545aad66cfa..00000000000 --- a/tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.html.ini +++ /dev/null @@ -1,9 +0,0 @@ -[TrustedTypePolicyFactory-getPropertyType.tentative.html] - [sanity check trustedTypes.getAttributeType.] - expected: FAIL - - [getAttributeType tests adapted from w3c/trusted-types polyfill] - expected: FAIL - - [getPropertyType vs getAttributeType for event handler.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini b/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini index 779d8a54c56..692b035b104 100644 --- a/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini +++ b/tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini @@ -1,12 +1,3 @@ [block-string-assignment-to-Element-setAttribute.html] - [div.onclick accepts only TrustedScript] - expected: FAIL - - [div.onclick's mutationobservers receive the default policy's value.] - expected: FAIL - - [div.onclick accepts string and null after default policy was created.] - expected: FAIL - [`script.src = setAttributeNode(embed.src)` with string works.] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini b/tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini index a6dca6345cf..6b5f0d2972b 100644 --- a/tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini +++ b/tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini @@ -1,22 +1,4 @@ [set-attributes-mutations-in-callback.tentative.html] - [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)] - expected: FAIL - - [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete other attribute before)] - expected: FAIL - - [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete other attribute before)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete other attribute before)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete other attribute before)] - expected: FAIL - [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)] expected: FAIL @@ -164,24 +146,6 @@ [Node.textContent works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (delete other attribute before)] expected: FAIL - [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)] - expected: FAIL - - [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete attribute)] - expected: FAIL - - [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete attribute)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete attribute)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete attribute)] - expected: FAIL - [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)] expected: FAIL @@ -329,24 +293,6 @@ [Node.textContent works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (delete attribute)] expected: FAIL - [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)] - expected: FAIL - - [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (modify attribute)] - expected: FAIL - - [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (modify attribute)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (modify attribute)] - expected: FAIL - - [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (modify attribute)] - expected: FAIL - [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini b/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini index 589148c23f2..4189222ac59 100644 --- a/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini +++ b/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini @@ -1,22 +1,4 @@ [set-attributes-require-trusted-types-default-policy.html] - [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick] - expected: FAIL - - [Element.setAttribute applies default policy for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick] - expected: FAIL - - [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown] - expected: FAIL - - [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick] - expected: FAIL - - [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick] - expected: FAIL - - [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown] - expected: FAIL - [Element.setAttributeNode applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini b/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini index c9523b6371f..9d513cef676 100644 --- a/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini +++ b/tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini @@ -1,22 +1,4 @@ [set-attributes-require-trusted-types-no-default-policy.html] - [Element.setAttribute throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick with a plain string] - expected: FAIL - - [Element.setAttribute throws for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick with a plain string] - expected: FAIL - - [Element.setAttribute throws for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown with a plain string] - expected: FAIL - - [Element.setAttributeNS throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick with a plain string] - expected: FAIL - - [Element.setAttributeNS throws for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick with a plain string] - expected: FAIL - - [Element.setAttributeNS throws for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown with a plain string] - expected: FAIL - [Element.setAttributeNode throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick with a plain string] expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-event-handlers.html.ini b/tests/wpt/meta/trusted-types/trusted-types-event-handlers.html.ini deleted file mode 100644 index 205dd5886a8..00000000000 --- a/tests/wpt/meta/trusted-types/trusted-types-event-handlers.html.ini +++ /dev/null @@ -1,270 +0,0 @@ -[trusted-types-event-handlers.html] - [Event handler onclick should be blocked.] - expected: FAIL - - [Event handler onchange should be blocked.] - expected: FAIL - - [Event handler onfocus should be blocked.] - expected: FAIL - - [Event handler oNclick should be blocked.] - expected: FAIL - - [Event handler OnClIcK should be blocked.] - expected: FAIL - - [Event handler div.oncopy should be blocked.] - expected: FAIL - - [Event handler div.oncut should be blocked.] - expected: FAIL - - [Event handler div.onpaste should be blocked.] - expected: FAIL - - [Event handler div.onauxclick should be blocked.] - expected: FAIL - - [Event handler div.onabort should be blocked.] - expected: FAIL - - [Event handler div.onbeforeinput should be blocked.] - expected: FAIL - - [Event handler div.onbeforematch should be blocked.] - expected: FAIL - - [Event handler div.onbeforetoggle should be blocked.] - expected: FAIL - - [Event handler div.onblur should be blocked.] - expected: FAIL - - [Event handler div.oncancel should be blocked.] - expected: FAIL - - [Event handler div.oncanplay should be blocked.] - expected: FAIL - - [Event handler div.oncanplaythrough should be blocked.] - expected: FAIL - - [Event handler div.onchange should be blocked.] - expected: FAIL - - [Event handler div.onclick should be blocked.] - expected: FAIL - - [Event handler div.onclose should be blocked.] - expected: FAIL - - [Event handler div.oncommand should be blocked.] - expected: FAIL - - [Event handler div.oncontextmenu should be blocked.] - expected: FAIL - - [Event handler div.oncontextlost should be blocked.] - expected: FAIL - - [Event handler div.oncontextrestored should be blocked.] - expected: FAIL - - [Event handler div.oncuechange should be blocked.] - expected: FAIL - - [Event handler div.ondblclick should be blocked.] - expected: FAIL - - [Event handler div.ondrag should be blocked.] - expected: FAIL - - [Event handler div.ondragend should be blocked.] - expected: FAIL - - [Event handler div.ondragenter should be blocked.] - expected: FAIL - - [Event handler div.ondragexit should be blocked.] - expected: FAIL - - [Event handler div.ondragleave should be blocked.] - expected: FAIL - - [Event handler div.ondragover should be blocked.] - expected: FAIL - - [Event handler div.ondragstart should be blocked.] - expected: FAIL - - [Event handler div.ondrop should be blocked.] - expected: FAIL - - [Event handler div.ondurationchange should be blocked.] - expected: FAIL - - [Event handler div.onemptied should be blocked.] - expected: FAIL - - [Event handler div.onended should be blocked.] - expected: FAIL - - [Event handler div.onerror should be blocked.] - expected: FAIL - - [Event handler div.onfocus should be blocked.] - expected: FAIL - - [Event handler div.onformdata should be blocked.] - expected: FAIL - - [Event handler div.oninput should be blocked.] - expected: FAIL - - [Event handler div.oninvalid should be blocked.] - expected: FAIL - - [Event handler div.onkeydown should be blocked.] - expected: FAIL - - [Event handler div.onkeypress should be blocked.] - expected: FAIL - - [Event handler div.onkeyup should be blocked.] - expected: FAIL - - [Event handler div.onload should be blocked.] - expected: FAIL - - [Event handler div.onloadeddata should be blocked.] - expected: FAIL - - [Event handler div.onloadedmetadata should be blocked.] - expected: FAIL - - [Event handler div.onloadstart should be blocked.] - expected: FAIL - - [Event handler div.onmousedown should be blocked.] - expected: FAIL - - [Event handler div.onmouseenter should be blocked.] - expected: FAIL - - [Event handler div.onmouseleave should be blocked.] - expected: FAIL - - [Event handler div.onmousemove should be blocked.] - expected: FAIL - - [Event handler div.onmouseout should be blocked.] - expected: FAIL - - [Event handler div.onmouseover should be blocked.] - expected: FAIL - - [Event handler div.onmouseup should be blocked.] - expected: FAIL - - [Event handler div.onwheel should be blocked.] - expected: FAIL - - [Event handler div.onpause should be blocked.] - expected: FAIL - - [Event handler div.onplay should be blocked.] - expected: FAIL - - [Event handler div.onplaying should be blocked.] - expected: FAIL - - [Event handler div.onprogress should be blocked.] - expected: FAIL - - [Event handler div.onratechange should be blocked.] - expected: FAIL - - [Event handler div.onreset should be blocked.] - expected: FAIL - - [Event handler div.onresize should be blocked.] - expected: FAIL - - [Event handler div.onscroll should be blocked.] - expected: FAIL - - [Event handler div.onscrollend should be blocked.] - expected: FAIL - - [Event handler div.onsecuritypolicyviolation should be blocked.] - expected: FAIL - - [Event handler div.onseeked should be blocked.] - expected: FAIL - - [Event handler div.onseeking should be blocked.] - expected: FAIL - - [Event handler div.onselect should be blocked.] - expected: FAIL - - [Event handler div.onshow should be blocked.] - expected: FAIL - - [Event handler div.onslotchange should be blocked.] - expected: FAIL - - [Event handler div.onstalled should be blocked.] - expected: FAIL - - [Event handler div.onsubmit should be blocked.] - expected: FAIL - - [Event handler div.onsuspend should be blocked.] - expected: FAIL - - [Event handler div.ontimeupdate should be blocked.] - expected: FAIL - - [Event handler div.ontoggle should be blocked.] - expected: FAIL - - [Event handler div.onvolumechange should be blocked.] - expected: FAIL - - [Event handler div.onwaiting should be blocked.] - expected: FAIL - - [Event handler div.onanimationend should be blocked.] - expected: FAIL - - [Event handler div.onanimationiteration should be blocked.] - expected: FAIL - - [Event handler div.ontransitionrun should be blocked.] - expected: FAIL - - [Event handler div.ontransitionend should be blocked.] - expected: FAIL - - [Event handler div.ontransitioncancel should be blocked.] - expected: FAIL - - [Event handler div.onselectstart should be blocked.] - expected: FAIL - - [Event handler div.onselectionchange should be blocked.] - expected: FAIL - - [Event handler div.onwebkitanimationend should be blocked.] - expected: FAIL - - [Event handler div.onwebkitanimationiteration should be blocked.] - expected: FAIL - - [Event handler div.onwebkitanimationstart should be blocked.] - expected: FAIL - - [Event handler div.onwebkittransitionend should be blocked.] - expected: FAIL diff --git a/tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini b/tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini deleted file mode 100644 index c05d2accfe0..00000000000 --- a/tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini +++ /dev/null @@ -1,6 +0,0 @@ -[trusted-types-reporting-for-Element-setAttribute.html] - [Violation report for Element.setAttribute('onclick', plain_string)] - expected: FAIL - - [Violation report for Element.setAttributeNS(null, 'onclick', plain_string)] - expected: FAIL