Implement script prepare text for Trusted Types (#37466)

Recently added WPT tests for this are now mostly passing. The remaining tests fail on importmap support. Part of #36258 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-07-22 14:53:49 +01:00 · 2025-06-15 00:33:25 +02:00 · 2025-06-15 00:33:25 +02:00 · c74a422e4c
commit c74a422e4c
parent f963f2731d
12 changed files with 46 additions and 221 deletions
--- a/tests/wpt/meta/trusted-types/block-text-node-insertion-into-script-element.html.ini
+++ b/tests/wpt/meta/trusted-types/block-text-node-insertion-into-script-element.html.ini
@ -1,28 +0,0 @@
-[block-text-node-insertion-into-script-element.html]
-  expected: ERROR
-  [Regression test: Bypass via insertAdjacentText, initial comment.]
-    expected: FAIL
-
-  [Regression test: Bypass via insertAdjacentText, textContent.]
-    expected: FAIL
-
-  [Spot tests around script + innerHTML interaction.]
-    expected: FAIL
-
-  [Test that default policy applies.]
-    expected: FAIL
-
-  [Test a failing default policy.]
-    expected: FAIL
-
-  [Spot tests around script + innerHTML interaction with default policy.]
-    expected: FAIL
-
-  [Regression test: Bypass via appendChild into off-document script element.]
-    expected: FAIL
-
-  [Regression test: Bypass via appendChild into live script element.]
-    expected: FAIL
-
-  [Test that default policy applies to module script.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-001-outerHTML.xhtml.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-001-outerHTML.xhtml.ini
@ -1,3 +0,0 @@
-[script-enforcement-001-outerHTML.xhtml]
-  [Script source set via TrustedHTML sink Element.outerHTML drops trustworthiness.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-001.html.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-001.html.ini
@ -1,78 +1,3 @@
 [script-enforcement-001.html]
-  [Script source set via TrustedHTML sink Element.innerHTML drops trustworthiness.]
-    expected: FAIL
-
-  [Script source set via TrustedHTML sink Element.setHTMLUnsafe() drops trustworthiness.]
-    expected: FAIL
-
-  [Script source set via Node.nodeValue drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.data drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.appendData() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.insertData() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.replaceData() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.deleteData() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.before() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.after() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.remove() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via CharacterData.replaceWith() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Node.appendChild() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Node.insertBefore() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Node.replaceChild() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Node.removeChild() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Element.prepend() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Element.append() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Element.replaceChildren() drops trustworthiness.]
-    expected: FAIL
-
  [Setting script source via Element.moveBefore() drops trustworthiness.]
    expected: FAIL
-
-  [Setting script source via TrustedHTML sink Node.insertAdjacentHTML() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Node.insertAdjacentText() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Range.insertNode() drops trustworthiness.]
-    expected: FAIL
-
-  [Setting script source via Range.deleteContents() drops trustworthiness.]
-    expected: FAIL
-
-  [Cloning a script via Node.cloneNode() drops trustworthiness.]
-    expected: FAIL
-
-  [Cloning a script via Range.cloneContents() drops trustworthiness.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-002-outerHTML.xhtml.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-002-outerHTML.xhtml.ini
@ -1,3 +0,0 @@
-[script-enforcement-002-outerHTML.xhtml]
-  [Default policy's calls when setting script source via Element.outerHTML.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-002.html.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-002.html.ini
@ -1,78 +1,3 @@
 [script-enforcement-002.html]
-  [Default policy's calls when setting script source via Element.innerHTML.]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Element.setHTMLUnsafe().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.nodeValue.]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.data.]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.appendData().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.insertData().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.replaceData().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.deleteData().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.before().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.after().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.remove().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via CharacterData.replaceWith().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.appendChild().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.insertBefore().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.replaceChild().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.removeChild().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Element.prepend().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Element.append().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Element.replaceChildren().]
-    expected: FAIL
-
  [Default policy's calls when setting script source via Element.moveBefore().]
    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.insertAdjacentText().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Node.insertAdjacentHTML().]
-    expected: FAIL
-
-  [Default policy's calls when setting source via Range.insertNode().]
-    expected: FAIL
-
-  [Default policy's calls when setting script source via Range.deleteContents().]
-    expected: FAIL
-
-  [Default policy's calls when cloning a script via Node.cloneNode().]
-    expected: FAIL
-
-  [Default policy's calls when cloning a script via Range.cloneContents().]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-005.html.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-005.html.ini
@ -1,10 +1,4 @@
 [script-enforcement-005.html]
-  [Empty HTMLScriptElement is executed if the default policy makes it non-empty.]
-    expected: FAIL
-
-  [Non-empty HTMLScriptElement is not executed if the default policy makes it empty.]
-    expected: FAIL
-
  [Empty SVGScriptElement is executed if the default policy makes it non-empty.]
    expected: FAIL

--- a/tests/wpt/meta/trusted-types/script-enforcement-006.html.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-006.html.ini
@ -1,10 +1,3 @@
 [script-enforcement-006.html]
-  expected: ERROR
-  [Untrusted HTMLScriptElement with classic type uses the source text returned by the default policy.]
-    expected: FAIL
-
  [Untrusted HTMLScriptElement of importmap type uses the source text returned by the default policy.]
    expected: FAIL
-
-  [Untrusted HTMLScriptElement of module type uses the source text returned by the default policy.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-008.https.html.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-008.https.html.ini
@ -2,11 +2,5 @@
  [script-src CSP directive is properly set.]
    expected: FAIL

-  [Untrusted HTMLScriptElement with classic type uses the source text returned by the default policy for inline CSP check.]
-    expected: FAIL
-
  [Untrusted HTMLScriptElement of importmap type uses the source text returned by the default policy for inline CSP check.]
    expected: FAIL
-
-  [Untrusted HTMLScriptElement of module type uses the source text returned by the default policy for inline CSP check.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/script-enforcement-010.html.ini
+++ b/tests/wpt/meta/trusted-types/script-enforcement-010.html.ini
@ -1,6 +0,0 @@
-[script-enforcement-010.html]
-  [Changing script's type from classic to module in the default policy works.]
-    expected: FAIL
-
-  [Changing script's type from module to classic in the default policy works.]
-    expected: FAIL
--- a/tests/wpt/meta/trusted-types/trusted-types-reporting-for-HTMLScriptElement-children-change.html.ini
+++ b/tests/wpt/meta/trusted-types/trusted-types-reporting-for-HTMLScriptElement-children-change.html.ini
@ -1,3 +0,0 @@
-[trusted-types-reporting-for-HTMLScriptElement-children-change.html]
-  [sink mismatch violation report when the script text is changed by manipulating its children.]
-    expected: FAIL