Improve test coverage for DOM integration in WPT #425
Assignees
Comments
Merged
|
web-platform-tests/wpt#44266 - PR to add coverage for setHTMLUnsafe and parseHTMLUnsafe |
@koto AFAIK, such attribute nodes can only be gotten from a different realm, if the realm corresponds to the same origin. E.g. via an "Prevent malicious authors of the web application’s JavaScript code from being able to bypass the restrictions; attempting to protect against malicious authors would result in an overly complex and not-practical design." Is the assumption that same-origin documents may correspond to multiple authors, from which only one may be malicious? |
|
It's only testing the mechanics of the DOM integration. We have to pick a realm to run the TT checks against, and this is a way to test that we're picking the element's document realm. We're not extending the threat model to cover cross-documents vector, the fact that it might be used to block attaching foreign (same-origin) attribute node to a local element is just a consequence of the mechanisms we chose. |
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Jan 31, 2024
…to a TT iframe element throws First step to fix <w3c/trusted-types#425>. Will add separate commits for the other tests requested at above ticket.
@koto: to be precise, the test should be added to a file like <block-string-assignment-to-Element-setAttributeNode.html>, since |
|
Yes |
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 19, 2024
…s created in a non-TT enforcing realm are imported to a TT-enforcing realm See <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. This excludes tests for <https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-event-handler-content-attributes> which will have to be added once that part of the spec is propagated to the HTML spec. The remaining tests mentioned at <w3c/trusted-types#425 (comment)> will be added in separate commits.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 19, 2024
…to a TT iframe element throws First step to fix <w3c/trusted-types#425>. Will add separate commits for the other tests requested at above ticket.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 19, 2024
…s created in a non-TT enforcing realm are imported to a TT-enforcing realm See <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. This excludes tests for <https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-event-handler-content-attributes> which will have to be added once that part of the spec is propagated to the HTML spec. The remaining tests mentioned at <w3c/trusted-types#425 (comment)> will be added in separate commits.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 20, 2024
…n `setAttribute` is called As requested in <w3c/trusted-types#425 (comment)>.
This was referenced Feb 20, 2024
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 21, 2024
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 21, 2024
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 22, 2024
…to a TT iframe element throws First step to fix <w3c/trusted-types#425>. Will add separate commits for the other tests requested at above ticket.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 22, 2024
…s created in a non-TT enforcing realm are imported to a TT-enforcing realm See <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. This excludes tests for <https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-event-handler-content-attributes> which will have to be added once that part of the spec is propagated to the HTML spec. The remaining tests mentioned at <w3c/trusted-types#425 (comment)> will be added in separate commits.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Feb 22, 2024
lukewarlow
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Mar 7, 2024
lukewarlow
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Mar 7, 2024
…t policy value when `setAttribute` is called (#44673) * Move some test input data from the test to the input data * Add test that mutation observers receive the default policy value when `setAttribute` is called As requested in <w3c/trusted-types#425 (comment)>.
|
Reopening until web-platform-tests/wpt#44323 is merged. |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Mar 14, 2024
… for `setAttributeNS` to `null`, a=testonly Automatic update from web-platform-tests Change namespace for Trusted-Types tests for `setAttributeNS` to `null` See <w3c/trusted-types#418 (comment)> and <w3c/trusted-types#418 (comment)>. Preparation to fix <w3c/trusted-types#425>. -- wpt-commits: f823803bb10d628a2b09a3e76b602c9d9f7866b9 wpt-pr: 44699
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Mar 14, 2024
… observers receive the default policy value when `setAttribute` is called, a=testonly Automatic update from web-platform-tests Add test for Trusted Types that mutation observers receive the default policy value when `setAttribute` is called (#44673) * Move some test input data from the test to the input data * Add test that mutation observers receive the default policy value when `setAttribute` is called As requested in <w3c/trusted-types#425 (comment)>. -- wpt-commits: 33bdd2999338631492b8ce34a6a6c7ee48277c32 wpt-pr: 44673
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Mar 17, 2024
… for `setAttributeNS` to `null`, a=testonly Automatic update from web-platform-tests Change namespace for Trusted-Types tests for `setAttributeNS` to `null` See <w3c/trusted-types#418 (comment)> and <w3c/trusted-types#418 (comment)>. Preparation to fix <w3c/trusted-types#425>. -- wpt-commits: f823803bb10d628a2b09a3e76b602c9d9f7866b9 wpt-pr: 44699
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Mar 17, 2024
… observers receive the default policy value when `setAttribute` is called, a=testonly Automatic update from web-platform-tests Add test for Trusted Types that mutation observers receive the default policy value when `setAttribute` is called (#44673) * Move some test input data from the test to the input data * Add test that mutation observers receive the default policy value when `setAttribute` is called As requested in <w3c/trusted-types#425 (comment)>. -- wpt-commits: 33bdd2999338631492b8ce34a6a6c7ee48277c32 wpt-pr: 44673
BruceDai
pushed a commit
to BruceDai/wpt
that referenced
this issue
Mar 25, 2024
BruceDai
pushed a commit
to BruceDai/wpt
that referenced
this issue
Mar 25, 2024
…t policy value when `setAttribute` is called (web-platform-tests#44673) * Move some test input data from the test to the input data * Add test that mutation observers receive the default policy value when `setAttribute` is called As requested in <w3c/trusted-types#425 (comment)>.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Mar 28, 2024
…to a TT iframe element throws First step to fix <w3c/trusted-types#425>. Will add separate commits for the other tests requested at above ticket.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Mar 28, 2024
…s created in a non-TT enforcing realm are imported to a TT-enforcing realm See <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. This excludes tests for <https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-event-handler-content-attributes> which will have to be added once that part of the spec is propagated to the HTML spec. The remaining tests mentioned at <w3c/trusted-types#425 (comment)> will be added in separate commits.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Apr 8, 2024
…to a TT iframe element throws First step to fix <w3c/trusted-types#425>. Will add separate commits for the other tests requested at above ticket.
mbrodesser-Igalia
added a commit
to mbrodesser-Igalia/wpt
that referenced
this issue
Apr 8, 2024
…s created in a non-TT enforcing realm are imported to a TT-enforcing realm See <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. This excludes tests for <https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-event-handler-content-attributes> which will have to be added once that part of the spec is propagated to the HTML spec. The remaining tests mentioned at <w3c/trusted-types#425 (comment)> will be added in separate commits.
|
An additional test for web-platform-tests/wpt#44323 (review) is required. |
annevk
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Apr 15, 2024
|
Reopening to address #425 (comment). |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Apr 23, 2024
…ute node from a non-TT realm to a TT iframe element throws, a=testonly Automatic update from web-platform-tests Trusted Types: check that the policy is obtained from the correct global Helps with w3c/trusted-types#425. -- wpt-commits: 560c8d6dc55b08d13ba88f48bd51828bfbce8abd wpt-pr: 44323
vinnydiehl
pushed a commit
to vinnydiehl/mozilla-unified
that referenced
this issue
Apr 24, 2024
…ute node from a non-TT realm to a TT iframe element throws, a=testonly Automatic update from web-platform-tests Trusted Types: check that the policy is obtained from the correct global Helps with w3c/trusted-types#425. -- wpt-commits: 560c8d6dc55b08d13ba88f48bd51828bfbce8abd wpt-pr: 44323
ziransun
added a commit
to web-platform-tests/wpt
that referenced
this issue
May 22, 2024
… non-TT realm. See discussions at w3c/trusted-types#425 (comment).
ziransun
added a commit
to web-platform-tests/wpt
that referenced
this issue
May 24, 2024
… non-TT realm. See discussions at w3c/trusted-types#425 (comment).
ziransun
added a commit
to web-platform-tests/wpt
that referenced
this issue
May 24, 2024
… non-TT realm. See discussions at w3c/trusted-types#425 (comment).
ziransun
added a commit
to web-platform-tests/wpt
that referenced
this issue
May 27, 2024
… non-TT realm. See discussions at w3c/trusted-types#425 (comment).
|
With https://phabricator.services.mozilla.com/D231921 all scenarios are now covered. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://wpt.fyi/results/trusted-types/block-string-assignment-to-Element-setAttribute.html needs
srcdoc) node created in a different realm. It should be rejected when imported and added to an iframe in the current, TT-enforcing realm.MutationObserverhttps://jsfiddle.net/014ze36t/2/https://wpt.fyi/results/trusted-types/block-string-assignment-to-Element-setAttributeNS.html needs
iframe.setAttributeNS(null, 'SrcDoc')attribute (or a similar mixed-case test for HTML's attributes).#418 (comment) and #418 (comment) for context.
The text was updated successfully, but these errors were encountered: