Bug 1518578 [wpt PR 14753] - Require TrustedScript in el.setAttribute('on*'), a=testonly
authorJakub Vrana <jakubvrana@google.com>
Thu, 31 Jan 2019 18:30:42 +0000
changeset 456926 642d7c83a7494575a5d1dfe19986f2f76fcc4057
parent 456925 093669eda7e0c9fe7305e21a14b12ad0144b841f
child 456927 25f061ee975f2ac569ee438a2b2b5f0a81a4699b
push id111705
push userjames@hoppipolla.co.uk
push dateTue, 05 Feb 2019 18:07:20 +0000
treeherdermozilla-inbound@9592b19c9b09 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1518578, 14753, 919107, 739170, 1400821, 621686
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518578 [wpt PR 14753] - Require TrustedScript in el.setAttribute('on*'), a=testonly Automatic update from web-platform-tests Require TrustedScript in el.setAttribute('on*') Bug: 919107, 739170 Change-Id: Ie357fa1d13175e313605415b00fd3529247d84d0 Reviewed-on: https://chromium-review.googlesource.com/c/1400821 Commit-Queue: Jakub Vrana <jakubvrana@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#621686} -- wpt-commits: 4b303fb30d6fdde4d38a8bdbc82d384ff89f30b8 wpt-pr: 14753
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
testing/web-platform/tests/trusted-types/support/helper.sub.js
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
@@ -64,28 +64,41 @@
     test(t => {
       assert_element_accepts_trusted_html_explicit_set(window, c, t, c[0], c[1], RESULTS.HTML);
       assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
       assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
       assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
     }, c[0] + "." + c[1] + " accepts only TrustedHTML");
   });
 
+  // TrustedScript Assignments
+  const ScriptTestCases = [
+    [ 'div', 'onclick' ]
+  ];
+
+  ScriptTestCases.forEach(c => {
+    test(t => {
+      assert_element_accepts_trusted_script_explicit_set(window, c, t, c[0], c[1], RESULTS.SCRIPT);
+      assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
+      assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
+    }, c[0] + "." + c[1] + " accepts only TrustedScript");
+  });
+
   test(t => {
     let el = document.createElement('iframe');
 
     assert_throws(new TypeError(), _ => {
       el.setAttribute('SrC', INPUTS.URL);
     });
 
     assert_equals(el.src, '');
   }, "`Element.prototype.setAttribute.SrC = string` throws.");
 
   // After default policy creation string and null assignments implicitly call createXYZ
-  let p = window.TrustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS }, true);
+  let p = window.TrustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true);
   URLTestCases.forEach(c => {
     test(t => {
       assert_element_accepts_trusted_type(c[0], c[1], INPUTS.URL, RESULTS.URL);
 
       // Properties that actually parse the URLs will resort to the base URL
       // when given a null or empty URL.
       assert_element_accepts_trusted_type(c[0], c[1], null, "" + window.location);
     }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
@@ -103,16 +116,23 @@
 
   HTMLTestCases.forEach(c => {
     test(t => {
       assert_element_accepts_trusted_type(c[0], c[1], INPUTS.HTML, RESULTS.HTML);
       assert_element_accepts_trusted_type(c[0], c[1], null, "null");
     }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
   });
 
+  ScriptTestCases.forEach(c => {
+    test(t => {
+      assert_element_accepts_trusted_type_explicit_set(c[0], c[1], INPUTS.SCRIPT, RESULTS.SCRIPT);
+      assert_element_accepts_trusted_type_explicit_set(c[0], c[1], null, "null");
+    }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
+  });
+
   // Other attributes can be assigned with TrustedTypes or strings or null values
   test(t => {
     assert_element_accepts_trusted_url_explicit_set(window, 'arel', t, 'a', 'rel', RESULTS.URL);
   }, "a.rel assigned via policy (successful URL transformation)");
 
   test(t => {
     assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', 'A string', 'A string');
   }, "a.rel accepts strings");
--- a/testing/web-platform/tests/trusted-types/support/helper.sub.js
+++ b/testing/web-platform/tests/trusted-types/support/helper.sub.js
@@ -116,17 +116,19 @@ function assert_element_accepts_trusted_
   let p = createURL_policy(win, c);
   let url = p.createURL(INPUTS.URL);
   assert_element_accepts_trusted_type_explicit_set(tag, attribute, url, expected);
 }
 
 function assert_element_accepts_trusted_type_explicit_set(tag, attribute, value, expected) {
   let elem = document.createElement(tag);
   elem.setAttribute(attribute, value);
-  assert_equals(elem[attribute] + "", expected);
+  if (!/^on/.test(attribute)) { // "on" attributes are converted to functions.
+    assert_equals(elem[attribute] + "", expected);
+  }
   assert_equals(elem.getAttribute(attribute), expected);
 }
 
 function assert_throws_no_trusted_type_explicit_set(tag, attribute, value) {
   let elem = document.createElement(tag);
   let prev = elem[attribute];
   assert_throws(new TypeError(), _ => {
     elem.setAttribute(attribute, value);