From 16202f33e1a5e5612afc908c9cb3b3f235d3eb89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Wang?= Date: Mon, 31 Mar 2025 05:17:40 +0000 Subject: [PATCH] Implement forgiving parsing for trusted-types CSP directive. Currently, we just discard the whole directive if an invalid token is found. With this patch, we instead ignore such a token. Also improves tests in should-trusted-type-policy-creation-be-blocked-by-csp-002.html so that we really check that the original trusted-types directive is preserved after serialization. See https://github.com/w3c/webappsec-csp/pull/363#issuecomment-2160193577 Differential Revision: https://phabricator.services.mozilla.com/D243358 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1935434 gecko-commit: f27925f3d6f792efb037cdb55bb98b972c11c1c6 gecko-reviewers: smaug --- ...ld-trusted-type-policy-creation-be-blocked-by-csp-002.html | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html b/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html index fc1906a7c99fdb..4bfbb6514a01bd 100644 --- a/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html +++ b/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html @@ -63,6 +63,8 @@ // https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy assert_true(results[0].exception instanceof TypeError, "createPolicy() should throw a TypeError."); assert_equals(results[0].violatedPolicies.length, 1, "createPolicy() should trigger a violation report."); + assert_equals(results[0].violatedPolicies[0].disposition, "enforce"); + assert_equals(results[0].violatedPolicies[0].policy, `trusted-types ${trustedTypePolicyName}`); }, `invalid tt-policy-name name "${trustedTypePolicyName}"`); }); @@ -90,5 +92,7 @@ assert_equals(results.length, 1); assert_true(results[0].exception instanceof TypeError); assert_equals(results[0].violatedPolicies.length, 1); + assert_equals(results[0].violatedPolicies[0].disposition, "enforce"); + assert_equals(results[0].violatedPolicies[0].policy, `trusted-types _TTP_*`); }, `invalid directive "trusted-type _TTP" (no ascii whitespace)`);