testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
author Jakub Vrana <jakubvrana@google.com>
Thu, 31 Jan 2019 18:30:42 +0000
changeset 457949 4aae84fccf6e629617f0f3537b74ca819c34b77f
parent 457947 e9816eb709f6d0c46be4f00d729301c88b8f02d3
child 458044 53165076ff5ac0fd5c93a661d4020f52eb218c1f
permissions -rw-r--r--
Bug 1518578 [wpt PR 14753] - Require TrustedScript in el.setAttribute('on*'), a=testonly Automatic update from web-platform-tests Require TrustedScript in el.setAttribute('on*') Bug: 919107, 739170 Change-Id: Ie357fa1d13175e313605415b00fd3529247d84d0 Reviewed-on: https://chromium-review.googlesource.com/c/1400821 Commit-Queue: Jakub Vrana <jakubvrana@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#621686} -- wpt-commits: 4b303fb30d6fdde4d38a8bdbc82d384ff89f30b8 wpt-pr: 14753

<!DOCTYPE html>
<html>
<head>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="support/helper.sub.js"></script>

  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
</head>
<body>
<script>
  const nullPolicy = TrustedTypes.createPolicy('NullPolicy', {createScript: s => s});

  // TrustedURL Assignments
  const URLTestCases = [
    [ 'a', 'href' ],
    [ 'area', 'href' ],
    [ 'base', 'href' ],
    [ 'button', 'formAction' ],
    [ 'form', 'action' ],
    [ 'frame', 'src' ],
    [ 'iframe', 'src' ],
    [ 'img', 'src' ],
    [ 'input', 'formAction' ],
    [ 'input', 'src' ],
    [ 'link', 'href' ],
    [ 'video', 'src' ],
    [ 'source', 'src' ],
    [ 'track', 'src' ]
  ];

  URLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_url_explicit_set(window, c, t, c[0], c[1], RESULTS.URL);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
    }, c[0] + "." + c[1] + " accepts only TrustedURL");
  });

  // TrustedScriptURL Assignments
  const scriptURLTestCases = [
    [ 'embed', 'src' ],
    [ 'object', 'data' ],
    [ 'object', 'codeBase' ],
    [ 'script', 'src' ]
  ];

  scriptURLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_script_url_explicit_set(window, c, t, c[0], c[1], RESULTS.SCRIPTURL);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
    }, c[0] + "." + c[1] + " accepts only TrustedScriptURL");
  });

  // TrustedHTML Assignments
  const HTMLTestCases = [
    [ 'iframe', 'srcdoc' ]
  ];

  HTMLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_html_explicit_set(window, c, t, c[0], c[1], RESULTS.HTML);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
    }, c[0] + "." + c[1] + " accepts only TrustedHTML");
  });

  // TrustedScript Assignments
  const ScriptTestCases = [
    [ 'div', 'onclick' ]
  ];

  ScriptTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_script_explicit_set(window, c, t, c[0], c[1], RESULTS.SCRIPT);
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
      assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
    }, c[0] + "." + c[1] + " accepts only TrustedScript");
  });

  test(t => {
    let el = document.createElement('iframe');

    assert_throws(new TypeError(), _ => {
      el.setAttribute('SrC', INPUTS.URL);
    });

    assert_equals(el.src, '');
  }, "`Element.prototype.setAttribute.SrC = string` throws.");

  // After default policy creation string and null assignments implicitly call createXYZ
  let p = window.TrustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true);
  URLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_type(c[0], c[1], INPUTS.URL, RESULTS.URL);

      // Properties that actually parse the URLs will resort to the base URL
      // when given a null or empty URL.
      assert_element_accepts_trusted_type(c[0], c[1], null, "" + window.location);
    }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
  });

  scriptURLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_type(c[0], c[1], INPUTS.SCRIPTURL, RESULTS.SCRIPTURL);

      // Properties that actually parse the URLs will resort to the base URL
      // when given a null or empty URL.
      assert_element_accepts_trusted_type(c[0], c[1], null, "" + window.location);
    }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
  });

  HTMLTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_type(c[0], c[1], INPUTS.HTML, RESULTS.HTML);
      assert_element_accepts_trusted_type(c[0], c[1], null, "null");
    }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
  });

  ScriptTestCases.forEach(c => {
    test(t => {
      assert_element_accepts_trusted_type_explicit_set(c[0], c[1], INPUTS.SCRIPT, RESULTS.SCRIPT);
      assert_element_accepts_trusted_type_explicit_set(c[0], c[1], null, "null");
    }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
  });

  // Other attributes can be assigned with TrustedTypes or strings or null values
  test(t => {
    assert_element_accepts_trusted_url_explicit_set(window, 'arel', t, 'a', 'rel', RESULTS.URL);
  }, "a.rel assigned via policy (successful URL transformation)");

  test(t => {
    assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', 'A string', 'A string');
  }, "a.rel accepts strings");

  test(t => {
    assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', null, 'null');
  }, "a.rel accepts null");

  test(t => {
    let div = document.createElement('div');
    let span = document.createElement('span');

    div.setAttribute('src', INPUTS.URL);
    let attr = div.getAttributeNode('src');
    div.removeAttributeNode(attr);
    span.setAttributeNode(attr);

    assert_equals(span.getAttribute('src'), INPUTS.URL);
  }, "`span.src = setAttributeNode(div.src)` with string works.");
</script>