Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-08-06 22:15:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Implement trusted HTML sinks for Element (#36941)

Browse source 
Also implements a conversion for `TrustedHTMLOrNullIsEmptyString`
to `TrustedHTMLOrString` to avoid introducing a separate
`get_trusted_script_compliant_string` for the new type.

Part of #36258

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe 2025-05-12 12:53:03 +02:00 committed by GitHub
parent a0dd2c1beb
commit d780fb7695
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 118 additions and 212 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/wpt/meta/content-security-policy/reporting/report-clips-sample.https.html.ini vendored
View file

@ -16,6 +16,3 @@
[AsyncGenerator Function constructor is also clipped.]
expected: FAIL
[Trusted Types violation sample is clipped to 40 characters excluded the sink name.]
expected: FAIL

12
tests/wpt/meta/trusted-types/HTMLElement-generic.html.ini vendored
View file

@ -1,22 +1,10 @@
[HTMLElement-generic.html]
[TT enabled: div.innerHTML\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: iframe.srcdoc\n = String on a\n connected element\n ]
expected: FAIL
[TT enabled: iframe.srcdoc\n = String on a\n non-connected element\n ]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: div.innerHTML\n = String on a\n non-connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL
[TT enabled: iframe.srcdoc\n = String on a\n connected element\n after removing the "require-trusted-types-for 'script' directive]
expected: FAIL

12
tests/wpt/meta/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.html.ini vendored
View file

@ -1,12 +0,0 @@
[block-string-assignment-to-Element-insertAdjacentHTML.html]
[`insertAdjacentHTML(string)` throws.]
expected: FAIL
[`insertAdjacentHTML(string)` still throws TypeError when position invalid.]
expected: FAIL
[`insertAdjacentHTML(null)` throws.]
expected: FAIL
[`insertAdjacentHTML(string)` assigned via default policy (successful HTML transformation).]
expected: FAIL

15
tests/wpt/meta/trusted-types/block-string-assignment-to-Element-outerHTML.html.ini vendored
View file

@ -1,15 +0,0 @@
[block-string-assignment-to-Element-outerHTML.html]
[`outerHTML = string` throws.]
expected: FAIL
[`outerHTML = string` throws TypeError even when parent is a document.]
expected: FAIL
[`outerHTML = null` throws.]
expected: FAIL
[`outerHTML = string` assigned via default policy (successful HTML transformation).]
expected: FAIL
[`outerHTML = null` assigned via default policy does not throw]
expected: FAIL

12
tests/wpt/meta/trusted-types/block-string-assignment-to-Element-setHTMLUnsafe.html.ini vendored
View file

@ -1,12 +0,0 @@
[block-string-assignment-to-Element-setHTMLUnsafe.html]
[`element.setHTMLUnsafe(string)` throws.]
expected: FAIL
[`element.setHTMLUnsafe(null)` throws.]
expected: FAIL
[`element.setHTMLUnsafe(string)` assigned via default policy (successful HTML transformation).]
expected: FAIL
[`element.setHTMLUnsafe(string)` assigned via default policy does not throw]
expected: FAIL

6
tests/wpt/meta/trusted-types/block-string-assignment-to-HTMLElement-generic.html.ini vendored
View file

@ -1,12 +1,6 @@
[block-string-assignment-to-HTMLElement-generic.html]
[div.innerHTML accepts only TrustedHTML]
expected: FAIL
[iframe.srcdoc accepts only TrustedHTML]
expected: FAIL
[div.innerHTML accepts string and null after default policy was created]
expected: FAIL
[iframe.srcdoc accepts string and null after default policy was created]
expected: FAIL

9
tests/wpt/meta/trusted-types/block-string-assignment-to-text-and-url-sinks.html.ini vendored
View file

@ -1,9 +0,0 @@
[block-string-assignment-to-text-and-url-sinks.html]
[Setting HTMLDivElement.innerHTML to a plain string]
expected: FAIL
[Setting HTMLScriptElement.innerHTML to a plain string]
expected: FAIL
[Setting SVGScriptElement.innerHTML to a plain string]
expected: FAIL

22
tests/wpt/meta/trusted-types/default-policy.html.ini vendored
View file

@ -1,22 +0,0 @@
[default-policy.html]
expected: OK
[Count SecurityPolicyViolation events.]
expected: FAIL
[div.innerHTML no default policy]
expected: FAIL
[div.innerHTML default]
expected: FAIL
[div.innerHTML null]
expected: FAIL
[div.innerHTML throw]
expected: FAIL
[div.innerHTML undefined]
expected: FAIL
[div.innerHTML typeerror]
expected: FAIL

7
tests/wpt/meta/trusted-types/empty-default-policy.html.ini vendored
View file

@ -1,7 +0,0 @@
[empty-default-policy.html]
expected: OK
[Count SecurityPolicyViolation events.]
expected: FAIL
[div.innerHTML default]
expected: FAIL

3
tests/wpt/meta/trusted-types/require-trusted-types-for-TypeError-belongs-to-the-global-object-realm.html.ini vendored
View file

@ -1,6 +1,3 @@
[require-trusted-types-for-TypeError-belongs-to-the-global-object-realm.html]
[Setting innerHTML on a node inserted by the parser.]
expected: FAIL
[Setting innerHTML on a node adopted from a subframe.]
expected: FAIL

3
tests/wpt/meta/trusted-types/require-trusted-types-for-report-only.html.ini vendored
View file

@ -1,3 +0,0 @@
[require-trusted-types-for-report-only.html]
[Require trusted types for 'script' block create HTML.]
expected: FAIL

3
tests/wpt/meta/trusted-types/require-trusted-types-for.html.ini vendored
View file

@ -1,3 +0,0 @@
[require-trusted-types-for.html]
[Require trusted types for 'script' block create HTML.]
expected: FAIL

18
tests/wpt/meta/trusted-types/should-sink-type-mismatch-violation-be-blocked-by-csp-001.html.ini vendored
View file

@ -1,20 +1,5 @@
[should-sink-type-mismatch-violation-be-blocked-by-csp-001.html]
expected: TIMEOUT
[Multiple enforce require-trusted-types-for directives.]
expected: FAIL
[Multiple report-only require-trusted-types-for directives.]
expected: FAIL
[One violated report-only require-trusted-types-for directive followed by multiple enforce directives]
expected: FAIL
[One violated enforce require-trusted-types-for directive followed by multiple report-only directives]
expected: FAIL
[Mixing enforce and report-only require-trusted-types-for directives.]
expected: FAIL
[directive "require-trusted-types-for 'script'%09'script'%0A'script'%0C'script'%0D'script'%20'script'" (required-ascii-whitespace)]
expected: TIMEOUT
@ -33,9 +18,6 @@
[directive "require-trusted-types-for unquoted-invalid 'script' also-unquoted-invalid (unknown sink group)]
expected: NOTRUN
[directive "require-trusted-types-for 'invalid'%09'script'" (required-ascii-whitespace)]
expected: FAIL
[directive "require-trusted-types-for 'invalid'%0A%20'script'" (required-ascii-whitespace)]
expected: TIMEOUT

24
tests/wpt/meta/trusted-types/trusted-types-createHTMLDocument.html.ini vendored
View file

@ -1,24 +0,0 @@
[trusted-types-createHTMLDocument.html]
[Trusted Type instances created in the main doc can be used. (document)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (createHTMLDocument)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (DOMParser)]
expected: FAIL
[Trusted Type instances created in the main doc can be used. (XHR)]
expected: FAIL
[Default policy applies. (document)]
expected: FAIL
[Default policy applies. (createHTMLDocument)]
expected: FAIL
[Default policy applies. (DOMParser)]
expected: FAIL
[Default policy applies. (XHR)]
expected: FAIL

6
tests/wpt/meta/trusted-types/trusted-types-report-only.html.ini vendored
View file

@ -1,6 +0,0 @@
[trusted-types-report-only.html]
[Trusted Type violation report-only: assign string to html]
expected: FAIL
[Trusted Type violation report-only: assign string to script content]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-innerHTML.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-innerHTML.html]
[Violation report for plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-insertAdjacentHTML.html]
[Violation report for plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-outerHTML.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-outerHTML.html]
[Violation report for plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-Element-setHTMLUnsafe.html]
[Violation report for plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-for-HTMLScriptElement-innerHTML.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-HTMLScriptElement-innerHTML.html]
[Violation report for plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-reporting-for-SVGScriptElement-innerHTML.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-reporting-for-SVGScriptElement-innerHTML.html]
[Violation report for plain string.]
expected: FAIL

3
tests/wpt/meta/trusted-types/trusted-types-sandbox-allow-scripts.html.ini vendored
View file

@ -1,3 +0,0 @@
[trusted-types-sandbox-allow-scripts.html]
[Default Trusted Types policy in a sandboxed page with allow-scripts.]
expected: FAIL

9
tests/wpt/meta/trusted-types/trusted-types-source-file-path.html.ini vendored
View file

@ -1,9 +0,0 @@
[trusted-types-source-file-path.html]
[same-document script]
expected: FAIL
[same-origin script]
expected: FAIL
[cross-origin script]
expected: FAIL