Bug 1769519 [wpt PR 34069] - [Trusted Types] Get list of event handlers from WebIDL, a=testonly
authorDaniel Vogelheim <vogelheim@chromium.org>
Wed, 18 May 2022 03:32:46 +0000
changeset 618464 f7d28e62f1fb30926c3a230f150ad41e76e97378
parent 618463 740b96fa48489814e36a551517d4119c2650221a
child 618465 54c0027c8ffa9cf7fcb5fd8a042950cb040e041d
push id163295
push userwptsync@mozilla.com
push dateSun, 22 May 2022 08:42:45 +0000
treeherderautoland@28d8297085fe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1769519, 34069, 3616765, 993268, 1084587, 3650577, 1003772
milestone102.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1769519 [wpt PR 34069] - [Trusted Types] Get list of event handlers from WebIDL, a=testonly Automatic update from web-platform-tests [Trusted Types] Get list of event handlers from WebIDL This change retrieves the list of attributes declared as event handlers from WebIDL and uses that to check for TrustedScript, instead of using the string prefix "on". This is a re-land of crrev.com/c/3616765, which broke the deterministic build bots. Patchset 1 is the unmodified original; patchset 2 contains the fix. Analysis of breakage is in crbug.com/993268#c17. Bug: 993268, 1084587 Change-Id: I45078c26b713b5aa4ceb5cb888cc14fd98de7e08 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3650577 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mason Freed <masonf@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/main@{#1003772} -- wpt-commits: f2d2cb29bb920c459158170b36f647946fae4b4a wpt-pr: 34069
testing/web-platform/tests/trusted-types/trusted-types-event-handlers.tentative.html
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/trusted-types-event-handlers.tentative.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+</head>
+<body>
+<script>
+const element = document.createElement("div");
+
+[
+  "onclick",
+  "onchange",
+  "onfocus",
+  "oNclick",
+  "OnClIcK"
+].forEach(name => {
+  test(t => {
+    assert_throws_js(TypeError,
+        _ => element.setAttribute(name, "2+2"));
+  }, `Event handler ${name} should be blocked.`);
+});
+
+[
+  "one",
+  "oNe",
+  "onIcon",
+  "offIcon",
+  "blubb"
+].forEach(name => {
+  test(t => {
+    element.setAttribute(name, "2+2");
+  }, `Non-event handler ${name} should not be blocked.`);
+});
+
+// We'd like to be sure we're not missing anything. Let's "query" an HTML
+// element about which attributes it knows.
+const div = document.createElement("div");
+for(name in div.__proto__) {
+  const should_be_event_handler = name.startsWith("on");
+  if (should_be_event_handler) {
+    test(t => {
+      assert_throws_js(TypeError,
+          _ => element.setAttribute(name, "2+2"));
+    }, `Event handler div.${name} should be blocked.`);
+  } else {
+    test(t => {
+      element.setAttribute(name, "2+2");
+    }, `Non-event handler div.${name} should not be blocked.`);
+  }
+}
+</script>
+</body>