[Trusted Types] Cover attribute node manipulation with Trusted Types …

…checks.

Element::setAttribute will perform trusted types checks, which (currently)
can be circumvented by obtaining the DOM's attribute node and setting the
value directly. This fixes this bypass, by performing identical checks when
the attribute node values are set, and/or the attribute node is attached to
an element.

Bug: 1008012
Bug: w3c/trusted-types#47
Change-Id: I1d8ead85b3fa11821c329e1f4af60c1e85ea8298

trusted-types/TrustedType-AttributeNodes.tentative.html

@@ -0,0 +1,93 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+</head>
+<body>
+<script>
+  // This is a set of tests that try to make sure various ways of setting
+  // attributes (directly; via an attribute node; etc.) are all being treated
+  // identically. For background, se::
+  // https://github.com/w3c/webappsec-trusted-types/issues/47
+
+  const elems = ["div", "script", "embed", "iframe"];
+  const attrs = ["src", "srcdoc", "onclick", "bla"];
+
+  const policy_callback = s => ("" + s + " [policy]");
+  const policy = trustedTypes.createPolicy("policy", {
+    "createHTML": policy_callback,
+    "createScript": policy_callback,
+    "createScriptURL": policy_callback,
+  });
+
+  // Returns either the string-ified result value of fn, or an exception type.
+  function try_get(fn) {
+    try {
+      return "" + fn();
+    } catch(e) {
+      return "" + e.name;
+    }
+  }
+
+  // Returns a 'trusted' version of value, if element.attribute requires it.
+  function trusted(element, attribute, value) {
+    switch (trustedTypes.getAttributeType(element, attribute)) {
+      case 'TrustedHTML': value = policy.createHTML(value); break;
+      case 'TrustedScript': value = policy.createScript(value); break;
+      case 'TrustedScriptURL': value = policy.createScriptURL(value); break;
+    }
+    return value;
+  }
+
+  for (elem of elems) {
+    for (attr of attrs) {
+      const reference = try_get(_ => {
+        const e = document.createElement(elem);
+        e.setAttribute(attr, "hello");
+        return e.getAttribute(attr);
+      });
+
+      // Event handlers (like "onclick") apply to all elements, so we don't
+      // really have 'harmless' element we can attach them to. Hence this test
+      // case doesn't apply.
+      if (attr != "onclick") {
+        test(t => {
+          const harmless = document.createElement("div");
+          harmless.setAttribute(attr, "hello");
+          const node = harmless.getAttributeNode(attr);
+          harmless.removeAttributeNode(node);
+
+          const actual = try_get(_ => {
+            const e = document.createElement(elem);
+            e.setAttributeNode(node);
+            return e.getAttribute(attr);
+          });
+          assert_equals(actual, reference);
+        }, `Set attribute via attribute node on ${elem}.${attr}.`);
+      }
+
+      test(t => {
+        const e = document.createElement(elem);
+        e.setAttribute(attr, trusted(elem, attr, "123"));
+        const actual = try_get(_ => {
+          e.getAttributeNode(attr).value = "hello";
+          return e.getAttribute(attr);
+        });
+        assert_equals(actual, reference);
+      }, `Set attribute via attributenode.value on ${elem}.${attr}.`);
+
+      test(t => {
+        const e = document.createElement(elem);
+        const attrnode = document.createAttribute(attr);
+        attrnode.value = "hello";
+        const actual = try_get(_ => {
+          e.attributes.setNamedItem(attrnode);
+          return e.getAttribute(attr);
+        });
+        assert_equals(actual, reference);
+      }, `Set attribute via NamedNodeMap.setNamedItem on ${elem}.${attr}.`);
+    }
+  }
+</script>
+</body>