Implement trusted HTML sinks for Element (#36941)

Also implements a conversion for `TrustedHTMLOrNullIsEmptyString`
to `TrustedHTMLOrString` to avoid introducing a separate
`get_trusted_script_compliant_string` for the new type.

Part of #36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-12 12:53:03 +02:00 committed by GitHub
parent a0dd2c1beb
commit d780fb7695
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 118 additions and 212 deletions

View file

@ -16,6 +16,3 @@
[AsyncGenerator Function constructor is also clipped.]
expected: FAIL
[Trusted Types violation sample is clipped to 40 characters excluded the sink name.]
expected: FAIL

View file

@ -1,22 +1,10 @@
[HTMLElement-generic.html]
[TT enabled: div.innerHTML\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: iframe.srcdoc\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: iframe.srcdoc\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: iframe.srcdoc\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL

View file

@ -1,12 +0,0 @@
[block-string-assignment-to-Element-insertAdjacentHTML.html]
[`insertAdjacentHTML(string)` throws.]
expected: FAIL
[`insertAdjacentHTML(string)` still throws TypeError when position invalid.]
expected: FAIL
[`insertAdjacentHTML(null)` throws.]
expected: FAIL
[`insertAdjacentHTML(string)` assigned via default policy (successful HTML transformation).]
expected: FAIL

View file

@ -1,15 +0,0 @@
[block-string-assignment-to-Element-outerHTML.html]
[`outerHTML = string` throws.]
expected: FAIL
[`outerHTML = string` throws TypeError even when parent is a document.]
expected: FAIL
[`outerHTML = null` throws.]
expected: FAIL
[`outerHTML = string` assigned via default policy (successful HTML transformation).]
expected: FAIL
[`outerHTML = null` assigned via default policy does not throw]
expected: FAIL

View file

@ -1,12 +0,0 @@
[block-string-assignment-to-Element-setHTMLUnsafe.html]
[`element.setHTMLUnsafe(string)` throws.]
expected: FAIL
[`element.setHTMLUnsafe(null)` throws.]
expected: FAIL
[`element.setHTMLUnsafe(string)` assigned via default policy (successful HTML transformation).]
expected: FAIL
[`element.setHTMLUnsafe(string)` assigned via default policy does not throw]
expected: FAIL

View file

@ -1,12 +1,6 @@
[block-string-assignment-to-HTMLElement-generic.html]
[div.innerHTML accepts only TrustedHTML]
expected: FAIL
[iframe.srcdoc accepts only TrustedHTML]
expected: FAIL
[div.innerHTML accepts string and null after default policy was created]
expected: FAIL
[iframe.srcdoc accepts string and null after default policy was created]
expected: FAIL

View file

@ -1,9 +0,0 @@
[block-string-assignment-to-text-and-url-sinks.html]
[Setting HTMLDivElement.innerHTML to a plain string]
expected: FAIL
[Setting HTMLScriptElement.innerHTML to a plain string]
expected: FAIL
[Setting SVGScriptElement.innerHTML to a plain string]
expected: FAIL

View file

@ -1,22 +0,0 @@
[default-policy.html]
expected: OK
[Count SecurityPolicyViolation events.]
expected: FAIL
[div.innerHTML no default policy]
expected: FAIL
[div.innerHTML default]
expected: FAIL
[div.innerHTML null]
expected: FAIL
[div.innerHTML throw]
expected: FAIL
[div.innerHTML undefined]
expected: FAIL
[div.innerHTML typeerror]
expected: FAIL

View file

@ -1,7 +0,0 @@
[empty-default-policy.html]
expected: OK
[Count SecurityPolicyViolation events.]
expected: FAIL
[div.innerHTML default]
expected: FAIL

View file

@ -1,6 +1,3 @@
[require-trusted-types-for-TypeError-belongs-to-the-global-object-realm.html]
[Setting innerHTML on a node inserted by the parser.]
expected: FAIL
[Setting innerHTML on a node adopted from a subframe.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[require-trusted-types-for-report-only.html]
[Require trusted types for 'script' block create HTML.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[require-trusted-types-for.html]
[Require trusted types for 'script' block create HTML.]
expected: FAIL

View file

@ -1,20 +1,5 @@
[should-sink-type-mismatch-violation-be-blocked-by-csp-001.html]
expected: TIMEOUT
[Multiple enforce require-trusted-types-for directives.]
expected: FAIL
[Multiple report-only require-trusted-types-for directives.]
expected: FAIL
[One violated report-only require-trusted-types-for directive followed by multiple enforce directives]
expected: FAIL
[One violated enforce require-trusted-types-for directive followed by multiple report-only directives]
expected: FAIL
[Mixing enforce and report-only require-trusted-types-for directives.]
expected: FAIL
[directive "require-trusted-types-for 'script'%09'script'%0A'script'%0C'script'%0D'script'%20'script'" (required-ascii-whitespace)]
expected: TIMEOUT
@ -33,9 +18,6 @@
[directive "require-trusted-types-for unquoted-invalid 'script' also-unquoted-invalid (unknown sink group)]
expected: NOTRUN
[directive "require-trusted-types-for 'invalid'%09'script'" (required-ascii-whitespace)]
expected: FAIL
[directive "require-trusted-types-for 'invalid'%0A%20'script'" (required-ascii-whitespace)]
expected: TIMEOUT

View file

@ -1,24 +0,0 @@
[trusted-types-createHTMLDocument.html]
[Trusted Type instances created in the main doc can be used. (document)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (createHTMLDocument)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (DOMParser)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (XHR)]
expected: FAIL
[Default policy applies. (document)]
expected: FAIL
[Default policy applies. (createHTMLDocument)]
expected: FAIL
[Default policy applies. (DOMParser)]
expected: FAIL
[Default policy applies. (XHR)]
expected: FAIL

View file

@ -1,6 +0,0 @@
[trusted-types-report-only.html]
[Trusted Type violation report-only: assign string to html]
expected: FAIL
[Trusted Type violation report-only: assign string to script content]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-innerHTML.html]
[Violation report for plain string.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-insertAdjacentHTML.html]
[Violation report for plain string.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-outerHTML.html]
[Violation report for plain string.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-setHTMLUnsafe.html]
[Violation report for plain string.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-HTMLScriptElement-innerHTML.html]
[Violation report for plain string.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-SVGScriptElement-innerHTML.html]
[Violation report for plain string.]
expected: FAIL

View file

@ -1,3 +0,0 @@
[trusted-types-sandbox-allow-scripts.html]
[Default Trusted Types policy in a sandboxed page with allow-scripts.]
expected: FAIL

View file

@ -1,9 +0,0 @@
[trusted-types-source-file-path.html]
[same-document script]
expected: FAIL
[same-origin script]
expected: FAIL
[cross-origin script]
expected: FAIL