-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement further enforcement of Trusted Types for Attributes
https://bugs.webkit.org/show_bug.cgi?id=274267 Reviewed by Ryosuke Niwa. This patch adds trusted types enforcement to Attr textContent, value and nodeValue. It also improves error handling for mutating attributes within default policy. * LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-attribute-via-attribute-node-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/modify-attributes-in-callback-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/trusted-types/modify-attributes-in-callback.html: * Source/WebCore/dom/Attr.cpp: (WebCore::Attr::setValue): (WebCore::Attr::setNodeValue): * Source/WebCore/dom/Attr.h: * Source/WebCore/dom/CharacterData.cpp: (WebCore::CharacterData::setNodeValue): * Source/WebCore/dom/CharacterData.h: * Source/WebCore/dom/Element.cpp: (WebCore::Element::validateAttributeIndex const): (WebCore::Element::setAttribute): * Source/WebCore/dom/Element.h: * Source/WebCore/dom/Node.cpp: (WebCore::Node::setNodeValue): (WebCore::Node::setTextContent): * Source/WebCore/dom/Node.h: Canonical link: https://commits.webkit.org/279118@main
- Loading branch information
1 parent
f33204d
commit be4cdc9
Showing
11 changed files
with
85 additions
and
42 deletions.
There are no files selected for viewing
30 changes: 12 additions & 18 deletions
30
...-tests/trusted-types/block-string-assignment-to-attribute-via-attribute-node-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,22 +1,16 @@ | ||
CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'" | ||
|
||
|
||
PASS Sanity check: Setting non-TT attributes still works. | ||
FAIL Set script.src via textContent assert_throws_js: function "_ => { | ||
element.attributes[0].textContent = "sldkjsfldk"; | ||
}" did not throw | ||
FAIL Set script.src via nodeValue assert_throws_js: function "_ => { | ||
element.attributes[0].nodeValue = "sdflkgjdlkgjdg"; | ||
}" did not throw | ||
FAIL Set iframe.srcdoc via textContent assert_throws_js: function "_ => { | ||
element.attributes[0].textContent = "sldkjsfldk"; | ||
}" did not throw | ||
FAIL Set iframe.srcdoc via nodeValue assert_throws_js: function "_ => { | ||
element.attributes[0].nodeValue = "sdflkgjdlkgjdg"; | ||
}" did not throw | ||
FAIL Set div.onclick via textContent assert_throws_js: function "_ => { | ||
element.attributes[0].textContent = "sldkjsfldk"; | ||
}" did not throw | ||
FAIL Set div.onclick via nodeValue assert_throws_js: function "_ => { | ||
element.attributes[0].nodeValue = "sdflkgjdlkgjdg"; | ||
}" did not throw | ||
PASS Set script.src via textContent | ||
PASS Set script.src via nodeValue | ||
PASS Set iframe.srcdoc via textContent | ||
PASS Set iframe.srcdoc via nodeValue | ||
PASS Set div.onclick via textContent | ||
PASS Set div.onclick via nodeValue | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters