[Trusted Types] Obey TT in createHTMLDocument-created documents.

This will pass on the Trusted Type enforcement requirement set by the CSP header, but will not actually instantiate a TrustedTypePolicyFactory. That plugs the current hole; but might not be an acceptable long-term solution. Bug: 951536 Change-Id: I56d541d57184396ce1dacdac9236d9259189f621
web-platform-tests · Nov 4, 2019 · ea42ede · ea42ede
1 parent 5450f27
commit ea42ede
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/trusted-types/trusted-types-createHTMLDocument.tentative.html b/trusted-types/trusted-types-createHTMLDocument.tentative.html
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/content-security-policy/support/testharness-helper.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+</head>
+<body>
+<script>
+
+test(t => {
+  function try_assign(doc) {
+    doc.createElement("script").textContent = "2+2";
+  }
+  assert_throws(new TypeError(),
+                _ => try_assign(document),
+                "Trusted Type assignment throws in main document");
+  assert_throws(new TypeError(),
+                _ => try_assign(document.implementation.createHTMLDocument("")),
+                "Trusted Type assignment throws in created document");
+}, "Trusted Types work in createHTMLDocument");
+
+test(t => {
+  const policy = trustedTypes.createPolicy("apolicy", {createHTML: x =>x });
+  const value = policy.createHTML("hello");
+  const doc = document.implementation.createHTMLDocument("");
+  doc.body.innerHTML = value;
+  assert_equals(doc.body.textContent, "hello");
+  assert_throws(new TypeError(),
+                _ => { doc.body.innerHTML = "world"; },
+                "Cannot assign text value.");
+  assert_equals(doc.body.textContent, "hello");
+}, "Trusted Type instances can be used in createHTMLDocument");
+
+</script>
+</body>