-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Expand file tree
/
Copy pathscript-enforcement-005.html
More file actions
78 lines (72 loc) · 3.63 KB
/
script-enforcement-005.html
File metadata and controls
78 lines (72 loc) · 3.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/namespaces.js"></script>
<script src="support/passthroughpolicy.js"></script>
<script src="support/script-messages.js"></script>
<link rel="help" href="https://un5gnp8dyv5rcyxcrjjbfp0.julianrbryant.com/trusted-types/dist/spec/#enforcement-in-scripts">
<link rel="help" href="https://un5nj90kzk5vf152hgyfw29h1eja2.julianrbryant.com/#prepare-the-script-element">
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
<!-- This test covers the following step from the "prepare the script element"
algorithm, verifying that "source text" is the one after application of
the default policy: "If el has no src attribute, and source text is the
empty string, then return." -->
<div id="htmlContainer">
<script id="scriptToCreateNonEmptyHTMLScript" type="unknown">;</script>
</div>
<svg id="svgContainer">
<script id="scriptToCreateNonEmptySVGScript" type="unknown">;</script>
</svg>
<script>
// Define a default policy that transforms empty script string to some source
// logging a RUN message and other script strings to empty.
trustedTypes.createPolicy("default", {
createScript: (value, _, sink) => {
window.log_message("CREATE_SCRIPT");
window.log_message(sink);
return value.length ? "" : LOG_RUN_MESSAGE;
}
});
promise_test(async t => {
let messages = await script_messages_for(_ => {
// Current version of the specification requires the script text to change
// in order to force a call to the default policy callback with sink
// "HTMLScriptElement text". If the following PR is accepted, this could
// be simplified to create_html_script_with_untrusted_source_text("").
// https://github.com/w3c/trusted-types/pull/579
let script = document.getElementById("scriptToCreateNonEmptyHTMLScript");
script.remove();
script.removeAttribute("type");
script.firstChild.remove();
htmlContainer.appendChild(script);
});
assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "RUN"]);
}, "Empty HTMLScriptElement is executed if the default policy makes it non-empty.");
promise_test(async t => {
let messages = await script_messages_for(_ => {
let script = create_html_script_with_untrusted_source_text(LOG_RUN_MESSAGE);
htmlContainer.appendChild(script);
});
assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text"]);
}, "Non-empty HTMLScriptElement is not executed if the default policy makes it empty.");
promise_test(async t => {
let messages = await script_messages_for(_ => {
// Note: Using create_html_script_with_untrusted_source_text("") may not
// guarantee the script to be untrusted for implementations using a
// script-based enforcement mechanism. So make sure we do modify the text.
let script = document.getElementById("scriptToCreateNonEmptySVGScript");
script.remove();
script.removeAttribute("type");
script.firstChild.remove();
svgContainer.appendChild(script);
});
assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "RUN"]);
}, "Empty SVGScriptElement is executed if the default policy makes it non-empty.");
promise_test(async t => {
let messages = await script_messages_for(_ => {
let script = create_svg_script_with_untrusted_source_text(LOG_RUN_MESSAGE);
svgContainer.appendChild(script);
});
assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text"]);
}, "Non-empty SVGScriptElement is not executed if the default policy makes it empty.");
</script>