From 3c5355de960511ca45833901d10f3b87f26c7f92 Mon Sep 17 00:00:00 2001 From: Luke Warlow Date: Thu, 15 Feb 2024 10:52:51 +0000 Subject: [PATCH] Remove `fromLiteral` from spec. (#405) --- explainer.md | 20 -- spec/index.bs | 44 +--- spec/index.html | 413 ++++++++++++++++--------------------- src/trustedtypes.js | 27 --- tests/trustedtypes_test.js | 48 ----- 5 files changed, 185 insertions(+), 367 deletions(-) diff --git a/explainer.md b/explainer.md index 7ae7f84a..f0ebe546 100644 --- a/explainer.md +++ b/explainer.md @@ -213,26 +213,6 @@ trustedTypes.createPolicy('default', { This mechanism complements CSP's `'unsafe-inline'`, allowing the authors to enable strong security controls in their application even if it occasionally uses `javascript:` URLs for legitimate purposes. -### Source Literals - -XSS is an unintended modification of a site's source code. Wrapping literals -from the original JavaScript resource - which by definition aren't XSS - can be -cumbersome. Trusted Types provides a way to easily wrap source literals in -Trusted Types by using the tagged template syntax and the `fromLiteral` methods, -in a way that cannot be spoofed at runtime: - -``` javascript -const value = TrustedHTML.fromLiteral`Hello there.`; -``` - -Note that template literals are passed as arrays of strings to the tag functions. -`fromLiteral` checks that a passed-in value is actually a template literal -and not dynamically constructed. - -``` javascript -TrustedHTML.fromLiteral(["Hello there."]); // Throws. -``` - ### DOM Sinks * **HTML Contexts**: Given something like `typedef (DOMString or TrustedHTML) HTMLString`, we'd diff --git a/spec/index.bs b/spec/index.bs index 113e21c5..25b6bc63 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -21,6 +21,7 @@ WPT Path Prefix: /trusted-types/ block-Document-execCommand.html block-Node-multiple-arguments.html block-string-assignment-to-attribute-via-attribute-node.html +block-string-assignment-to-Document-parseHTMLUnsafe.html block-string-assignment-to-Document-write.html block-string-assignment-to-DOMParser-parseFromString.html block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.html @@ -28,8 +29,10 @@ block-string-assignment-to-Element-insertAdjacentHTML.html block-string-assignment-to-Element-outerHTML.html block-string-assignment-to-Element-setAttribute.html block-string-assignment-to-Element-setAttributeNS.html +block-string-assignment-to-Element-setHTMLUnsafe.html block-string-assignment-to-HTMLElement-generic.html block-string-assignment-to-Range-createContextualFragment.html +block-string-assignment-to-ShadowRoot-setHTMLUnsafe.html block-text-node-insertion-into-script-element.html csp-block-eval.html default-policy-callback-arguments.html @@ -73,7 +76,6 @@ trusted-types-eval-reporting-no-unsafe-eval.html trusted-types-eval-reporting-report-only.html trusted-types-eval-reporting.html trusted-types-event-handlers.html -trusted-types-from-literal.html trusted-types-navigation.html trusted-types-report-only.html trusted-types-reporting-check-report.html @@ -85,7 +87,6 @@ TrustedType-AttributeNodes.html TrustedTypePolicy-createXXX.html TrustedTypePolicy-CSP-no-name.html TrustedTypePolicy-CSP-wildcard.html -TrustedTypePolicyFactory-blocking.html TrustedTypePolicyFactory-constants.html TrustedTypePolicyFactory-createPolicy-createXYZTests.html TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.html @@ -380,7 +381,6 @@ wrappers around a string, constructed via a {{TrustedTypePolicy}}'s interface TrustedHTML { stringifier; DOMString toJSON(); - static TrustedHTML fromLiteral(object templateStringsArray); }; @@ -393,9 +393,6 @@ will never change during its lifetime. TrustedHTML object are to return the value from its `[[Data]]` internal slot. -The fromLiteral(object templateStringsArray) method, when invoked, returns the result of executing a [$Create a Trusted Type from literal$] algorithm, -with {{TrustedHTML}} as |type| and |templateStringsArray| as |template|. - ### TrustedScript ### {#trusted-script} The TrustedScript interface represents a string with an uncompiled @@ -410,7 +407,6 @@ around a string, constructed via a {{TrustedTypePolicy}}'s interface TrustedScript { stringifier; DOMString toJSON(); - static TrustedScript fromLiteral(object templateStringsArray); }; @@ -423,9 +419,6 @@ will never change during its lifetime. TrustedScript object are to return the value from its `[[Data]]` internal slot. -The fromLiteral(object templateStringsArray) method, when invoked, returns the result of executing a [$Create a Trusted Type from literal$] algorithm, -with {{TrustedScript}} as |type| and |templateStringsArray| as |template|. - ### TrustedScriptURL ### {#trused-script-url} The TrustedScriptURL interface represents a string that a developer @@ -440,7 +433,6 @@ string, constructed via a {{TrustedTypePolicy}}'s interface TrustedScriptURL { stringifier; USVString toJSON(); - static TrustedScriptURL fromLiteral(object templateStringsArray); }; @@ -453,9 +445,6 @@ will never change during its lifetime. TrustedScriptURL object are to return the value from its `[[Data]]` internal slot. -The fromLiteral(object templateStringsArray) method, when invoked, returns the result of executing a [$Create a Trusted Type from literal$] algorithm, -with {{TrustedScriptURL}} as |type| and |templateStringsArray| as |template|. - ## Policies ## {#policies-hdr} Trusted Types can only be created via user-defined @@ -1026,29 +1015,6 @@ a string |value|, a list |arguments|, and a boolean |throwIfMissing|, execute th and [[ECMASCRIPT#sec-method|callback **this** value]] set to `null`, rethrowing any exceptions. 1. Return |policyValue|. -## Create a Trusted Type from literal ## {#create-a-trusted-type-from-literal-algorithm} - -Given a {{TrustedType}} type |type| and an object |template|, execute the following steps: - -1. If [$check templatedness$] of |template| returns false, throw a {{TypeError}}. -1. If [$Get$](|template|, "length") is not equal to 1, throw a {{TypeError}}. -1. Let |templatedValue| be the result of [$Get$](|template|, 0). -1. If |type| is {{TrustedHTML}}, perform the following steps: - 1. Let |templateNode| be the results of [=create an element|creating an element=] given "template", the [=HTML namespace=] and [=current global object=]'s [=associated Document=]. - 1. Assert: |templateNode| is {{HTMLTemplateElement}}. - 1. Let |fragment| be the result of invoking [$fragment parsing algorithm$], with |templatedValue| as markup, and |templateNode| as a context element. - 1. Set |templatedValue| to be the result of invoking [=HTML fragment serialization algorithm=], with |fragment| as the node. - -1. Return a new instance of an interface |type|, with its `[[Data]]` internal slot value set to |templatedValue|. - -## Check templatedness of an object ## {#check-templatedness-algorithm} - -To check templatedness of an object |value|, perform the following steps. They return a boolean value: - -1. Let |realm| be the current Realm Record. -1. For each |item| of |realm|.\[[TemplateMap]], if |item|.\[[Array]] is |value|, return true. -1. Return false. - ## Get Trusted Type compliant string ## {#get-trusted-type-compliant-string-algorithm} This algorithm will return a string that can be used with an @@ -1643,8 +1609,8 @@ Content-Security-Policy: require-trusted-types-for 'script'; trusted-types one t
An empty [=directive=] [=directive/value=] indicates policies may not be created, -and sinks expect Trusted Type values, i.e. DOM XSS [=injection sinks=] cannot be used -with dynamic values. Values for those sinks can only be created by fromLiteral tag functions. +and sinks expect Trusted Type values, i.e. no DOM XSS [=injection sinks=] can be used +at all. 
 Content-Security-Policy: trusted-types; require-trusted-types-for 'script'
diff --git a/spec/index.html b/spec/index.html index 4802f257..f417cf9f 100644 --- a/spec/index.html +++ b/spec/index.html @@ -7,7 +7,7 @@ - +