Bug 1518578 [wpt PR 14753] - Require TrustedScript in el.setAttribute('on*'), a=testonly
authorJakub Vrana <jakubvrana@google.com>
Thu, 31 Jan 2019 18:30:42 +0000
changeset 457949 4aae84fccf6e629617f0f3537b74ca819c34b77f
parent 457948 230742c4c0de6bc416b9e2cccba6b6f09bda9b35
child 457950 d3aea0b0ff9c3f08a931992bc9289de144c26611
push id35518
push useropoprus@mozilla.com
push dateFri, 08 Feb 2019 09:55:14 +0000
treeherdermozilla-central@3a3e393396f4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1518578, 14753, 919107, 739170, 1400821, 621686
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1518578 [wpt PR 14753] - Require TrustedScript in el.setAttribute('on*'), a=testonly Automatic update from web-platform-tests Require TrustedScript in el.setAttribute('on*') Bug: 919107, 739170 Change-Id: Ie357fa1d13175e313605415b00fd3529247d84d0 Reviewed-on: https://chromium-review.googlesource.com/c/1400821 Commit-Queue: Jakub Vrana <jakubvrana@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#621686} -- wpt-commits: 4b303fb30d6fdde4d38a8bdbc82d384ff89f30b8 wpt-pr: 14753
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
testing/web-platform/tests/trusted-types/support/helper.sub.js
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
@@ -64,28 +64,41 @@
     test(t => {
       assert_element_accepts_trusted_html_explicit_set(window, c, t, c[0], c[1], RESULTS.HTML);
       assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
       assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
       assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
     }, c[0] + "." + c[1] + " accepts only TrustedHTML");
   });
 
+  // TrustedScript Assignments
+  const ScriptTestCases = [
+    [ 'div', 'onclick' ]
+  ];
+
+  ScriptTestCases.forEach(c => {
+    test(t => {
+      assert_element_accepts_trusted_script_explicit_set(window, c, t, c[0], c[1], RESULTS.SCRIPT);
+      assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
+      assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
+    }, c[0] + "." + c[1] + " accepts only TrustedScript");
+  });
+
   test(t => {
     let el = document.createElement('iframe');
 
     assert_throws(new TypeError(), _ => {
       el.setAttribute('SrC', INPUTS.URL);
     });
 
     assert_equals(el.src, '');
   }, "`Element.prototype.setAttribute.SrC = string` throws.");
 
   // After default policy creation string and null assignments implicitly call createXYZ
-  let p = window.TrustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS }, true);
+  let p = window.TrustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true);
   URLTestCases.forEach(c => {
     test(t => {
       assert_element_accepts_trusted_type(c[0], c[1], INPUTS.URL, RESULTS.URL);
 
       // Properties that actually parse the URLs will resort to the base URL
       // when given a null or empty URL.
       assert_element_accepts_trusted_type(c[0], c[1], null, "" + window.location);
     }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
@@ -103,16 +116,23 @@
 
   HTMLTestCases.forEach(c => {
     test(t => {
       assert_element_accepts_trusted_type(c[0], c[1], INPUTS.HTML, RESULTS.HTML);
       assert_element_accepts_trusted_type(c[0], c[1], null, "null");
     }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
   });
 
+  ScriptTestCases.forEach(c => {
+    test(t => {
+      assert_element_accepts_trusted_type_explicit_set(c[0], c[1], INPUTS.SCRIPT, RESULTS.SCRIPT);
+      assert_element_accepts_trusted_type_explicit_set(c[0], c[1], null, "null");
+    }, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
+  });
+
   // Other attributes can be assigned with TrustedTypes or strings or null values
   test(t => {
     assert_element_accepts_trusted_url_explicit_set(window, 'arel', t, 'a', 'rel', RESULTS.URL);
   }, "a.rel assigned via policy (successful URL transformation)");
 
   test(t => {
     assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', 'A string', 'A string');
   }, "a.rel accepts strings");
--- a/testing/web-platform/tests/trusted-types/support/helper.sub.js
+++ b/testing/web-platform/tests/trusted-types/support/helper.sub.js
@@ -116,17 +116,19 @@ function assert_element_accepts_trusted_
   let p = createURL_policy(win, c);
   let url = p.createURL(INPUTS.URL);
   assert_element_accepts_trusted_type_explicit_set(tag, attribute, url, expected);
 }
 
 function assert_element_accepts_trusted_type_explicit_set(tag, attribute, value, expected) {
   let elem = document.createElement(tag);
   elem.setAttribute(attribute, value);
-  assert_equals(elem[attribute] + "", expected);
+  if (!/^on/.test(attribute)) { // "on" attributes are converted to functions.
+    assert_equals(elem[attribute] + "", expected);
+  }
   assert_equals(elem.getAttribute(attribute), expected);
 }
 
 function assert_throws_no_trusted_type_explicit_set(tag, attribute, value) {
   let elem = document.createElement(tag);
   let prev = elem[attribute];
   assert_throws(new TypeError(), _ => {
     elem.setAttribute(attribute, value);