Add trusted type checks for global event handler attributes (#38718)

This only covers the global event handlers for now, while I figure out
which others we are missing. We don't seem to be missing the
WindowEventHandlers, but not sure where the others coming from.

Part of #36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

components/script/dom/eventtarget.rs

@@ -68,6 +68,98 @@ use crate::dom::workerglobalscope::WorkerGlobalScope;
 use crate::realms::{InRealm, enter_realm};
 use crate::script_runtime::CanGc;
 
+/// <https://html.spec.whatwg.org/multipage/#event-handler-content-attributes>
+/// containing the values from
+/// <https://html.spec.whatwg.org/multipage/#globaleventhandlers>
+static CONTENT_EVENT_HANDLER_NAMES: [&str; 83] = [
+    "onabort",
+    "onauxclick",
+    "onbeforeinput",
+    "onbeforematch",
+    "onbeforetoggle",
+    "onblur",
+    "oncancel",
+    "oncanplay",
+    "oncanplaythrough",
+    "onchange",
+    "onclick",
+    "onclose",
+    "oncommand",
+    "oncontextlost",
+    "oncontextmenu",
+    "oncontextrestored",
+    "oncopy",
+    "oncuechange",
+    "oncut",
+    "ondblclick",
+    "ondrag",
+    "ondragend",
+    "ondragenter",
+    "ondragleave",
+    "ondragover",
+    "ondragstart",
+    "ondrop",
+    "ondurationchange",
+    "onemptied",
+    "onended",
+    "onerror",
+    "onfocus",
+    "onformdata",
+    "oninput",
+    "oninvalid",
+    "onkeydown",
+    "onkeypress",
+    "onkeyup",
+    "onload",
+    "onloadeddata",
+    "onloadedmetadata",
+    "onloadstart",
+    "onmousedown",
+    "onmouseenter",
+    "onmouseleave",
+    "onmousemove",
+    "onmouseout",
+    "onmouseover",
+    "onmouseup",
+    "onpaste",
+    "onpause",
+    "onplay",
+    "onplaying",
+    "onprogress",
+    "onratechange",
+    "onreset",
+    "onresize",
+    "onscroll",
+    "onscrollend",
+    "onsecuritypolicyviolation",
+    "onseeked",
+    "onseeking",
+    "onselect",
+    "onslotchange",
+    "onstalled",
+    "onsubmit",
+    "onsuspend",
+    "ontimeupdate",
+    "ontoggle",
+    "onvolumechange",
+    "onwaiting",
+    "onwebkitanimationend",
+    "onwebkitanimationiteration",
+    "onwebkitanimationstart",
+    "onwebkittransitionend",
+    "onwheel",
+    // https://drafts.csswg.org/css-animations/#interface-globaleventhandlers-idl
+    "onanimationend",
+    "onanimationiteration",
+    // https://drafts.csswg.org/css-transitions/#interface-globaleventhandlers-idl
+    "ontransitionrun",
+    "ontransitionend",
+    "ontransitioncancel",
+    // https://w3c.github.io/selection-api/#extensions-to-globaleventhandlers-interface
+    "onselectstart",
+    "onselectionchange",
+];
+
 #[derive(Clone, JSTraceable, MallocSizeOf, PartialEq)]
 #[allow(clippy::enum_variant_names)]
 pub(crate) enum CommonEventHandler {
@@ -956,6 +1048,11 @@ impl EventTarget {
             );
         }
     }
+
+    /// <https://html.spec.whatwg.org/multipage/#event-handler-content-attributes>
+    pub(crate) fn is_content_event_handler(name: &str) -> bool {
+        CONTENT_EVENT_HANDLER_NAMES.contains(&name)
+    }
 }
 
 impl EventTargetMethods<crate::DomTypeHolder> for EventTarget {

components/script/dom/trustedtypepolicyfactory.rs

@@ -20,6 +20,7 @@ use crate::dom::bindings::reflector::{DomGlobal, Reflector, reflect_dom_object};
 use crate::dom::bindings::root::{DomRoot, MutNullableDom};
 use crate::dom::bindings::str::DOMString;
 use crate::dom::csp::CspReporting;
+use crate::dom::eventtarget::EventTarget;
 use crate::dom::globalscope::GlobalScope;
 use crate::dom::trustedhtml::TrustedHTML;
 use crate::dom::trustedscript::TrustedScript;
@@ -120,8 +121,18 @@ impl TrustedTypePolicyFactory {
         // Step 1: Let data be null.
         //
         // We return the if directly
-        // Step 2: If attributeNs is null, and attribute is the name of an event handler content attribute, then:
+        // Step 2: If attributeNs is null, « HTML namespace, SVG namespace, MathML namespace » contains
-        // TODO(36258): look up event handlers
+        // element’s namespace, and attribute is the name of an event handler content attribute:
+        if attribute_namespace.is_none() &&
+            matches!(*element_namespace, ns!(html) | ns!(svg) | ns!(mathml)) &&
+            EventTarget::is_content_event_handler(attribute)
+        {
+            // Step 2.1. Return (Element, null, attribute, TrustedScript, "Element " + attribute).
+            return Some((
+                TrustedType::TrustedScript,
+                "Element ".to_owned() + attribute,
+            ));
+        }
         // Step 3: Find the row in the following table, where element is in the first column,
         // attributeNs is in the second column, and attribute is in the third column.
         // If a matching row is found, set data to that row.

tests/wpt/meta/trusted-types/GlobalEventHandlers-onclick.html.ini

@@ -1,6 +0,0 @@
-[GlobalEventHandlers-onclick.html]
-  [a.setAttribute('onclick') sets an unsuitable trusted type.]
-    expected: FAIL
-
-  [a.setAttribute('click') sets a test string.]
-    expected: FAIL

tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getAttributeType.html.ini

@@ -1,9 +0,0 @@
-[TrustedTypePolicyFactory-getAttributeType.html]
-  [getAttributeType(\n          "DIV",\n          "onclick",\n          "http://www.w3.org/1999/xhtml",\n          "null") == "TrustedScript"]
-    expected: FAIL
-
-  [getAttributeType(\n          "g",\n          "ondblclick",\n          "http://www.w3.org/2000/svg",\n          "null") == "TrustedScript"]
-    expected: FAIL
-
-  [getAttributeType(\n          "mrow",\n          "onmousedown",\n          "http://www.w3.org/1998/Math/MathML",\n          "null") == "TrustedScript"]
-    expected: FAIL

tests/wpt/meta/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.html.ini

@@ -1,9 +0,0 @@
-[TrustedTypePolicyFactory-getPropertyType.tentative.html]
-  [sanity check trustedTypes.getAttributeType.]
-    expected: FAIL
-
-  [getAttributeType tests adapted from w3c/trusted-types polyfill]
-    expected: FAIL
-
-  [getPropertyType vs getAttributeType for event handler.]
-    expected: FAIL

tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setAttribute.html.ini

@@ -1,12 +1,3 @@
 [block-string-assignment-to-Element-setAttribute.html]
-  [div.onclick accepts only TrustedScript]
-    expected: FAIL
-
-  [div.onclick's mutationobservers receive the default policy's value.]
-    expected: FAIL
-
-  [div.onclick accepts string and null after default policy was created.]
-    expected: FAIL
-
   [`script.src = setAttributeNode(embed.src)` with string works.]
     expected: FAIL

tests/wpt/meta/trusted-types/set-attributes-mutations-in-callback.tentative.html.ini

@@ -1,22 +1,4 @@
 [set-attributes-mutations-in-callback.tentative.html]
-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete other attribute before)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete other attribute before)]
-    expected: FAIL
-
   [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete other attribute before)]
     expected: FAIL
 
@@ -164,24 +146,6 @@
   [Node.textContent works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (delete other attribute before)]
     expected: FAIL
 
-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (delete attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (delete attribute)]
-    expected: FAIL
-
   [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (delete attribute)]
     expected: FAIL
 
@@ -329,24 +293,6 @@
   [Node.textContent works for elementNS=http://www.w3.org/2000/svg, element=script, attrNS=http://www.w3.org/1999/xlink, attrName=href (delete attribute)]
     expected: FAIL
 
-  [Element.setAttribute works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttribute works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick (modify attribute)]
-    expected: FAIL
-
-  [Element.setAttributeNS works for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown (modify attribute)]
-    expected: FAIL
-
   [Element.setAttributeNode works for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick (modify attribute)]
     expected: FAIL
 

tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-default-policy.html.ini

@@ -1,22 +1,4 @@
 [set-attributes-require-trusted-types-default-policy.html]
-  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick]
-    expected: FAIL
-
-  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick]
-    expected: FAIL
-
-  [Element.setAttribute applies default policy for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown]
-    expected: FAIL
-
-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick]
-    expected: FAIL
-
-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/2000/svg, element=g, attrName=ondblclick]
-    expected: FAIL
-
-  [Element.setAttributeNS applies default policy for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow, attrName=onmousedown]
-    expected: FAIL
-
   [Element.setAttributeNode applies default policy for elementNS=http://www.w3.org/1999/xhtml, element=DIV, attrName=onclick]
     expected: FAIL
 

tests/wpt/meta/trusted-types/set-attributes-require-trusted-types-no-default-policy.html.ini

@@ -1,22 +1,4 @@
 [set-attributes-require-trusted-types-no-default-policy.html]
-  [Element.setAttribute throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV,  attrName=onclick with a plain string]
-    expected: FAIL
-
-  [Element.setAttribute throws for elementNS=http://www.w3.org/2000/svg, element=g,  attrName=ondblclick with a plain string]
-    expected: FAIL
-
-  [Element.setAttribute throws for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow,  attrName=onmousedown with a plain string]
-    expected: FAIL
-
-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV,  attrName=onclick with a plain string]
-    expected: FAIL
-
-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/2000/svg, element=g,  attrName=ondblclick with a plain string]
-    expected: FAIL
-
-  [Element.setAttributeNS throws for elementNS=http://www.w3.org/1998/Math/MathML, element=mrow,  attrName=onmousedown with a plain string]
-    expected: FAIL
-
   [Element.setAttributeNode throws for elementNS=http://www.w3.org/1999/xhtml, element=DIV,  attrName=onclick with a plain string]
     expected: FAIL
 

tests/wpt/meta/trusted-types/trusted-types-event-handlers.html.ini

@@ -1,270 +0,0 @@
-[trusted-types-event-handlers.html]
-  [Event handler onclick should be blocked.]
-    expected: FAIL
-
-  [Event handler onchange should be blocked.]
-    expected: FAIL
-
-  [Event handler onfocus should be blocked.]
-    expected: FAIL
-
-  [Event handler oNclick should be blocked.]
-    expected: FAIL
-
-  [Event handler OnClIcK should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncopy should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncut should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onpaste should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onauxclick should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onabort should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onbeforeinput should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onbeforematch should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onbeforetoggle should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onblur should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncancel should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncanplay should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncanplaythrough should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onchange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onclick should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onclose should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncommand should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncontextmenu should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncontextlost should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncontextrestored should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oncuechange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondblclick should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondrag should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondragend should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondragenter should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondragexit should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondragleave should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondragover should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondragstart should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondrop should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ondurationchange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onemptied should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onended should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onerror should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onfocus should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onformdata should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oninput should be blocked.]
-    expected: FAIL
-
-  [Event handler div.oninvalid should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onkeydown should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onkeypress should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onkeyup should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onload should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onloadeddata should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onloadedmetadata should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onloadstart should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmousedown should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmouseenter should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmouseleave should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmousemove should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmouseout should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmouseover should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onmouseup should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onwheel should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onpause should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onplay should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onplaying should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onprogress should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onratechange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onreset should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onresize should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onscroll should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onscrollend should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onsecuritypolicyviolation should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onseeked should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onseeking should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onselect should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onshow should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onslotchange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onstalled should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onsubmit should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onsuspend should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ontimeupdate should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ontoggle should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onvolumechange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onwaiting should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onanimationend should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onanimationiteration should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ontransitionrun should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ontransitionend should be blocked.]
-    expected: FAIL
-
-  [Event handler div.ontransitioncancel should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onselectstart should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onselectionchange should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onwebkitanimationend should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onwebkitanimationiteration should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onwebkitanimationstart should be blocked.]
-    expected: FAIL
-
-  [Event handler div.onwebkittransitionend should be blocked.]
-    expected: FAIL

tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setAttribute.html.ini

@@ -1,6 +0,0 @@
-[trusted-types-reporting-for-Element-setAttribute.html]
-  [Violation report for Element.setAttribute('onclick', plain_string)]
-    expected: FAIL
-
-  [Violation report for Element.setAttributeNS(null, 'onclick', plain_string)]
-    expected: FAIL