-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add more tests for trusted-types-sink violation reports.
This covers all Window-only sinks listed in w3c/trusted-types#494 (comment) This also adds small improvements to csp-violations.js: - Rely on connect-src / EventSource / self.add/removeEventListner, so that the file could be usable in Workers in the future. - Also force a connect-src violation before executing fn, so that we can flush previously reported violations. Although this is not necessary for existing tests, I noticed this can sometimes happen when I was trying to write tests.
- Loading branch information
Showing
31 changed files
with
536 additions
and
123 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
trusted-types/require-trusted-types-for-report-only.html.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,2 @@ | ||
| Content-Security-Policy-Report-Only: require-trusted-types-for 'script' | ||
| Content-Security-Policy: object-src 'none' | ||
| Content-Security-Policy: connect-src 'none' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample' | ||
| Content-Security-Policy: object-src 'none' | ||
| Content-Security-Policy: connect-src 'none' | ||
| Content-Security-Policy: require-trusted-types-for 'script' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
trusted-types/trusted-types-eval-reporting-report-only.html.headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval' | ||
| Content-Security-Policy: object-src 'none' | ||
| Content-Security-Policy: connect-src 'none' | ||
| Content-Security-Policy-Report-Only: require-trusted-types-for 'script' | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval' | ||
| Content-Security-Policy: object-src 'none' | ||
| Content-Security-Policy: connect-src 'none' | ||
| Content-Security-Policy: require-trusted-types-for 'script' | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,2 @@ | ||
| Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php; require-trusted-types-for 'script'; | ||
| Content-Security-Policy: object-src 'none' | ||
| Content-Security-Policy: connect-src 'none' |
26 changes: 26 additions & 0 deletions
26
trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = `<p>${'A'.repeat(100)}</p>`; | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| (new DOMParser()).parseFromString(policy.createHTML(input), "text/html") | ||
| ); | ||
| }, "No violation reported for TrustedHTML."); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| (new DOMParser()).parseFromString(input, "text/html") | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `DOMParser parseFromString|${clipSampleIfNeeded(input)}`); | ||
| }, "Violation report for plain string."); | ||
| </script> | ||
| </body> |
34 changes: 34 additions & 0 deletions
34
trusted-types/trusted-types-reporting-for-Document-execCommand.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = `<p>${'A'.repeat(100)}</p>`; | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => { | ||
| ["insertHTML", "paste"].forEach(command => { | ||
| document.execCommand(command, false, policy.createHTML(input)); | ||
| }); | ||
| }); | ||
| }, "No violation reported for TrustedHTML."); | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| document.execCommand("paste", false, input) | ||
| ); | ||
| }, "No violation reported (paste command)."); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| document.execCommand("insertHTML", false, input) | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `Document execCommand|${clipSampleIfNeeded(input)}`); | ||
| }, "Violation report for plain string (insertHTML command)."); | ||
| </script> | ||
| </body> |
26 changes: 26 additions & 0 deletions
26
trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = `<p>${'A'.repeat(100)}</p>`; | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| Document.parseHTMLUnsafe(policy.createHTML(input)) | ||
| ); | ||
| }, "No violation reported for TrustedHTML."); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| Document.parseHTMLUnsafe(input) | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `Document parseHTMLUnsafe|${clipSampleIfNeeded(input)}`); | ||
| }, "Violation report for plain string."); | ||
| </script> | ||
| </body> |
38 changes: 38 additions & 0 deletions
38
trusted-types/trusted-types-reporting-for-Document-write.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <div id="log"></div> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = [`<p>${'A'.repeat(50)}</p>`, | ||
| `<p>${'B'.repeat(30)}</p>`, | ||
| `<p>${'C'.repeat(20)}</p>`]; | ||
| const joinedInput = input.join(''); | ||
| const trustedInput = input.map(x => policy.createHTML(input)); | ||
|
|
||
| // Create a separate document for testing, so write calls don't mess up with | ||
| // how testharness writes its output in the main document. | ||
| const doc = (new DOMParser()). | ||
| parseFromString(policy.createHTML("<body></body>"), "text/html"); | ||
|
|
||
| ["write", "writeln"].forEach(methodName => { | ||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| doc[methodName](...trustedInput) | ||
| ); | ||
| }, `No violation reported for ${methodName}() with TrustedHTML arguments.`); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| doc[methodName](trustedInput[0], input[1], trustedInput[2]) | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `Document ${methodName}|${clipSampleIfNeeded(joinedInput)}`); | ||
| }, `Violation report for plain string for ${methodName}() with at least one plain string argument.`); | ||
| }); | ||
| </script> | ||
| </body> |
26 changes: 26 additions & 0 deletions
26
trusted-types/trusted-types-reporting-for-Element-innerHTML.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = `<p>${'A'.repeat(100)}</p>`; | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| document.createElement("div").innerHTML = policy.createHTML(input) | ||
| ); | ||
| }, "No violation reported for TrustedHTML."); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| document.createElement("div").innerHTML = input | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `Element innerHTML|${clipSampleIfNeeded(input)}`); | ||
| }, "Violation report for plain string."); | ||
| </script> | ||
| </body> |
27 changes: 27 additions & 0 deletions
27
trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = `<p>${'A'.repeat(100)}</p>`; | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| document.createElement("div"). | ||
| insertAdjacentHTML("beforeend", policy.createHTML(input)) | ||
| ); | ||
| }, "No violation reported for TrustedHTML."); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| document.createElement("div").insertAdjacentHTML("beforeend", input) | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `Element insertAdjacentHTML|${clipSampleIfNeeded(input)}`); | ||
| }, "Violation report for plain string."); | ||
| </script> | ||
| </body> |
26 changes: 26 additions & 0 deletions
26
trusted-types/trusted-types-reporting-for-Element-outerHTML.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
| <script src="support/csp-violations.js"></script> | ||
| <meta http-equiv="Content-Security-Policy" | ||
| content="require-trusted-types-for 'script'; connect-src 'none';"> | ||
| <body> | ||
| <script> | ||
| const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x }); | ||
| const input = `<p>${'A'.repeat(100)}</p>`; | ||
|
|
||
| promise_test(async t => { | ||
| await no_trusted_type_violation_for(_ => | ||
| document.createElement("div").outerHTML = policy.createHTML(input) | ||
| ); | ||
| }, "No violation reported for TrustedHTML."); | ||
|
|
||
| promise_test(async t => { | ||
| let violation = await trusted_type_violation_for(TypeError, _ => | ||
| document.createElement("div").outerHTML = input | ||
| ); | ||
| assert_equals(violation.blockedURI, "trusted-types-sink"); | ||
| assert_equals(violation.sample, `Element outerHTML|${clipSampleIfNeeded(input)}`); | ||
| }, "Violation report for plain string."); | ||
| </script> | ||
| </body> |
Oops, something went wrong.