Skip to content

Commit

Permalink
[Trusted Types] Sink name changes in violation reports.
Browse files Browse the repository at this point in the history 
1. Use space instead of a dot.
2. Use HTMLScriptElement and SVGScriptElement instead of script.
3. Use `|` instead of ` ` between sink name and string value.

Bug: 1058446
Change-Id: I84b555b50dcb839cc8455612f08d53f028fc607f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2120495
Commit-Queue: Yifan Luo <lyf@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#755319}
  • Loading branch information
@iVanlIsh @chromium-wpt-export-bot
iVanlIsh authored and chromium-wpt-export-bot committed Apr 1, 2020
1 parent 0a71320 commit 6f338b1
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 16 deletions.
6 changes: 3 additions & 3 deletions content-security-policy/reporting/report-clips-sample.https.html
View file
Expand Up @@ -16,7 +16,7 @@
});
assert_false(evil);
return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => {
assert_equals(e.sample, "eval evil = '12345678901234567890123456789012");
assert_equals(e.sample, "eval|evil = '12345678901234567890123456789012");
}));
}, "Unsafe eval violation sample is clipped to 40 characters.");

Expand All @@ -26,7 +26,7 @@
});
return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => {
assert_equals(e.sample.replace(/\n/g, ""),
"eval (function anonymous(a,b) {return '1234");
"eval|(function anonymous(a,b) {return '1234");
}));
}, "Function constructor - the other kind of eval - is clipped.");

Expand All @@ -37,7 +37,7 @@
});
assert_equals(a.innerHTML, "");
return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => {
assert_equals(e.sample, "Element.innerHTML 1234567890123456789012345678901234567890");
assert_equals(e.sample, "Element innerHTML|1234567890123456789012345678901234567890");
}));
}, "Trusted Types violation sample is clipped to 40 characters excluded the sink name.");
</script>
Expand Down
2 changes: 1 addition & 1 deletion trusted-types/trusted-types-navigation.tentative.https.html
View file
Expand Up @@ -33,7 +33,7 @@
openWindow(t, "support/navigation-support.html");
return Promise.all([
expectLoadedAsMessage("navigation-support.html"),
expectViolationAsMessage("Location.href"),
expectViolationAsMessage("Location href"),
]);
}, "Navigate a window with javascript:-urls in enforcing mode.");

Expand Down
62 changes: 50 additions & 12 deletions trusted-types/trusted-types-reporting.tentative.https.html
View file
@@ -1,5 +1,6 @@
<!DOCTYPE html>
<head>
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/content-security-policy/support/testharness-helper.js"></script>
Expand Down Expand Up @@ -154,17 +155,25 @@
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("Element.innerHTML"))
.then(expect_sample("abc"));
.then(expect_sample("Element innerHTML|abc"));
expect_throws(_ => { document.getElementById("div").innerHTML = "abc" });
return p;
}, "Trusted Type violation report: sample for .innerHTML assignment");
}, "Trusted Type violation report: sample for innerHTML assignment");

promise_test(t => {
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLScriptElement.src"));
.then(expect_sample("HTMLScriptElement text|abc"));
expect_throws(_ => { document.getElementById("script").text = "abc" });
return p;
}, "Trusted Type violation report: sample for text assignment");

promise_test(t => {
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLScriptElement src"));
expect_throws(_ => { document.getElementById("script").src = "" });
return p;
}, "Trusted Type violation report: sample for script.src assignment");
Expand All @@ -173,18 +182,48 @@
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLElement.innerText"))
.then(expect_sample("2+2;"));
.then(expect_sample("HTMLElement innerText|2+2;"));
expect_throws(_ => document.getElementById("script").innerText = "2+2;");
return p;
}, "Trusted Type violation report: sample for script innerText assignment");

// TODO(lyf): https://crbug.com/1066791 Following tests which related to svg
// script element cause a flaky timeout in `linux-blink-rel`, following tests
// should be added back after the bug fix.
//
// TODO(lyf): https://crbug.com/1064598
// promise_test(t => {
// let p = Promise.resolve()
// .then(promise_violation("require-trusted-types-for 'script'"))
// .then(expect_blocked_uri("trusted-types-sink"))
// .then(expect_sample("SVGScriptElement href"));
// expect_throws(_ => { document.getElementById("svgscript").href.baseVal = "" });
// return p;
// }, "Trusted Type violation report: sample for SVGScriptElement href assignment");
//
// promise_test(t => {
// let p = Promise.resolve()
// .then(promise_violation("require-trusted-types-for 'script'"))
// .then(expect_blocked_uri("trusted-types-sink"))
// .then(expect_sample("Element setAttribute"));
// expect_throws(_ => { document.getElementById("svgscript").setAttribute('href', "test"); });
// return p;
// }, "Trusted Type violation report: sample for SVGScriptElement href assignment by setAttribute");
//
// promise_test(t => {
// let p = Promise.resolve()
// .then(promise_violation("require-trusted-types-for 'script'"))
// .then(expect_blocked_uri("trusted-types-sink"))
// .then(expect_sample("SVGScriptElement text"));
// expect_throws(_ => { document.getElementById("svgscript").insertBefore(document.createTextNode("Hello"), null) });
// return p;
// }, "Trusted Type violation report: sample for SVGScriptElement text assignment");

promise_test(t => {
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("eval"))
.then(expect_sample("2+2"))
.then(expect_sample("eval|2+2"))
.then(promise_flush());
expect_throws(_ => eval("2+2"));
flush();
Expand All @@ -197,8 +236,7 @@
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLElement.innerText"))
.then(expect_sample("abbb"))
.then(expect_sample("HTMLElement innerText|abbb"))
.then(e => assert_less_than(e.sample.length, 150));
const value = "a" + "b".repeat(50000);
expect_throws(_ => document.getElementById("script").innerText = value);
Expand All @@ -216,8 +254,7 @@
let p = Promise.resolve()
.then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLScriptElement.src"))
.then(expect_sample("abc"));
.then(expect_sample("HTMLScriptElement src|abc"));
expect_throws(_ => document.getElementById("customscript").src = "abc");
return p;
}, "Trusted Type violation report: sample for custom element assignment");
Expand All @@ -229,4 +266,5 @@
<div id="div"></div>
<script id="script"></script>
<script id="customscript" is="custom-script" src="a"></script>
<svg><script id="svgscript"></script></svg>
</body>

0 comments on commit 6f338b1

Please sign in to comment.