author Mike West <mkwst@chromium.org>
Wed, 20 May 2020 16:59:26 +0000
changeset 531924 e07cf3d4936f99965d8d52afab0560b7cbfd7975
parent 518170 testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-nameTests.tentative.https.html@2e776909647f66798268ab95ae758ffc11374eaf
permissions -rw-r--r--
Bug 1637195 [wpt PR 23525] - Remove the `[SecureContext]` restriction from Trusted Types., a=testonly Automatic update from web-platform-tests Remove the `[SecureContext]` restriction from Trusted Types. While it's reasonable to exclude new APIs from non-secure contexts, the ancestry requirements allow attackers to disable restricted APIs from embedded contexts. This is usually excellent, as it means that data won't leak from secure to non-secure contexts. For security features, on the other hand, this gives the attacker some advantage with regard to embedded contexts' mitigtions. This is unfortunate, and this patch removes the restriction to ensure that embedded contexts can continue to mitigate the effect of XSS attack by reverting https://crrev.com/c/2093214 and https://crrev.com/c/2098076. Bug: 1059554 Change-Id: Ib948437310509f1d29cacff1e6c74ab7cbc30d11 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2195965 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#767894} -- wpt-commits: 094353fedf808caf83e82b4959b5edf02e1be92e wpt-pr: 23525

<!DOCTYPE html>
<script src="/resources/testharness.js" ></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<meta http-equiv="Content-Security-Policy"
      content="trusted-types SomeName SomeOtherName">
  // Policy name test
  test(t => {
    let policy = trustedTypes.createPolicy('SomeName', {} );
    assert_true(policy instanceof TrustedTypePolicy);
    assert_equals(policy.name, 'SomeName');
  }, "policy.name = name");

  // Duplicate names test
  test(t => {
    assert_throws_js(TypeError, _ => {
     trustedTypes.createPolicy('SomeName', {} );
  }, "duplicate policy name attempt throws");

  // Check error messages.
  test(t => {
    try {
      trustedTypes.createPolicy("unknown name", {});
    } catch (e) {
      assert_false(e.toString().includes("already exists"));

    try {
      trustedTypes.createPolicy("SomeName", {});
    } catch (e) {
      assert_true(e.toString().includes("already exists"));
  }, "Error messages for duplicates and unlisted policies should be different");