Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve test coverage of sink values #494

Open
lukewarlow opened this issue Mar 28, 2024 · 7 comments
Open

Improve test coverage of sink values #494

lukewarlow opened this issue Mar 28, 2024 · 7 comments
Milestone

Comments

@lukewarlow
Copy link
Member

We should ensure that we have exhaustive coverage of the "sink" value, this is the prefix for violation object samples, aswell as being one of the arguments for the default policy.

@lukewarlow
Copy link
Member Author

Example change web-platform-tests/wpt#45058

@lukewarlow lukewarlow added this to the v1 milestone Mar 28, 2024
moz-wptsync-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 18, 2024
One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1907849
gecko-commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b
gecko-reviewers: smaug
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Dec 18, 2024
ErichDonGubler pushed a commit to erichdongubler-mozilla/firefox that referenced this issue Dec 19, 2024
moz-wptsync-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 30, 2024
One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1907849
gecko-commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8
gecko-reviewers: smaug
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Dec 30, 2024
moz-wptsync-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 31, 2024
One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1907849
gecko-commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8
gecko-reviewers: smaug
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this issue Jan 1, 2025
…eHTMLUnsafe". r=smaug

One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

UltraBlame original commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this issue Jan 1, 2025
…eHTMLUnsafe". r=smaug

One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

UltraBlame original commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this issue Jan 1, 2025
…eHTMLUnsafe". r=smaug

One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

UltraBlame original commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this issue Jan 1, 2025
…eHTMLUnsafe". r=smaug

One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

UltraBlame original commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this issue Jan 1, 2025
…eHTMLUnsafe". r=smaug

One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

UltraBlame original commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this issue Jan 1, 2025
…eHTMLUnsafe". r=smaug

One step towards fixing w3c/trusted-types#494.

Differential Revision: https://phabricator.services.mozilla.com/D232363

UltraBlame original commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this issue Jan 2, 2025
i3roly pushed a commit to i3roly/firefox-dynasty that referenced this issue Jan 2, 2025
@fred-wang
Copy link
Collaborator

fred-wang commented Jan 3, 2025

@fred-wang
Copy link
Collaborator

fred-wang commented Jan 6, 2025

Trusted Types spec:

  • HTMLScriptElement's innerText (TrustedScript)
  • HTMLScriptElement's textContent (TrustedScript)
  • HTMLScriptElement's src (TrustedScriptURL)
  • HTMLScriptElement's text (TrustedScript)

HTML spec:

  • Document's write() (TrustedHTML) -- covered by block-string-assignment-to-Document-write.html
  • Document's writeln() (TrustedHTML) -- covered by block-string-assignment-to-Document-write.html
  • Document's parseHTMLUnsafe() (TrustedHTML) -- covered by block-string-assignment-to-Document-parseHTMLUnsafe.html
  • HTMLIFrameElement's srcdoc (TrustedHTML) -- covered by block-string-assignment-to-HTMLIFrameElement-srcdoc.html
  • Element's setHTMLUnsafe()̀ (TrustedHTML`) -- covered by block-string-assignment-to-Element-setHTMLUnsafe.html
  • Element's innerHTML (TrustedHTML) --covered by trusted-types-createHTMLDocument.html
  • Element's outerHTML (TrustedHTML) -- covered by block-string-assignment-to-Element-outerHTML.html
  • Element's insertAdjacentHTML() (TrustedHTML) -- covered by block-string-assignment-to-Element-insertAdjacentHTML.html
  • ShadowRoot's setHTMLUnsafe() (TrustedHTML) -- covered by block-string-assignment-to-ShadowRoot-setHTMLUnsafe.html
  • ShadowRoot's innerHTML (TrustedHTML) -- covered by block-string-assignment-to-ShadowRoot-innerHTML.html
  • DOMParser's parseFromString()̀ (TrustedHTML`) -- covered by block-string-assignment-to-DOMParser-parseFromString.html
  • Range's createContextualFragment() (TrustedHTML) -- covered by block-string-assignment-to-Range-createContextualFragment.html
  • eval() (TrustedScript) -- covered by block-eval-function-constructor.html
  • WindowOrWorkerGlobalScope's setTimeout() (TrustedScript) -- covered by block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.html (done in block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.js, which is loaded from Window, Worker and SharedWorker)
  • WindowOrWorkerGlobalScope's setInterval() (TrustedScript) -- covered by block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.html (done in block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.js, which is loaded from Window, Worker and SharedWorker)
  • WorkerGlobalScope's importScripts() (TrustedScriptURL) -- covered by trusted-types/support/WorkerGlobalScope-importScripts.https.js
  • Worker's constructor (TrustedScriptURL) -- covered by worker-constructor.https.html (from Window only, perhaps we need to check the sink when constructor is called from DedicatedWorker/SharedWorker too)
  • SharedWorker's constructor (TrustedScriptURL) -- covered by worker-constructor.https.html

DOM spec:

  • Element's setAttribute() (TrustedType)
  • Element's setAttributeNS() (TrustedType)

CSP spec:

  • eval() (TrustedScript) -- covered by block-eval-function-constructor.html
  • function constructor (TrustedScript) -- covered by block-eval-function-constructor.html

SVG spec:

  • SVGAnimatedString's baseVal (TrustedScriptURL) -- this seems essentially used for SVGScriptElement's href, but the spec status is a bit fuzzy. -- covered by trusted-types-svg-script-set-href.html
  • Luke mentioned SVGScriptElement should have similar script enforcement as HTML, but details are not specced yet. See SVGScriptElement needs TT protection too #483 ; likely we need to repeat the sink checks for the corresponding properties (innerText, textContent, text).

Service Workers spec:

  • ServiceWorkerContainer's register() (TrustedScriptURL) -- covered by worker-constructor.https.html (from Window only, perhaps we need to check the sink when constructor is called from from Worker too)

execCommand draft:

  • Document's execCommand() (TrustedHTML) -- covered by block-Document-execCommand.html

@lukewarlow
Copy link
Member Author

There's also SVGScriptElement which needs handling it's just not specced yet

@fred-wang
Copy link
Collaborator

@lukewarlow yes I noticed that. It seems some PRs have been merged but are still not public. will follow-up with you privately

fred-wang added a commit to web-platform-tests/wpt that referenced this issue Jan 6, 2025
This verifies some API for ParentNode/ChildNode [1] [2] don't do any
check for trusted types. This might already be covered by IDL tests but
we just perform a direct verification here. This test fails in Chromium,
which is not aligned with the DOM spec here [3] and performs specific
checks for HTML script elements. Chromium also implements similar
behavior for `ChildNodePart.replaceChildren()` but that's currently not
shipped [4].

[1] https://dom.spec.whatwg.org/#interface-parentnode
[2] https://dom.spec.whatwg.org/#interface-childnode
[3] w3c/trusted-types#494 (comment)
[4] https://groups.google.com/a/chromium.org/g/blink-dev/c/wIADRnljZDA/m/whzEaaAADAAJ
fred-wang added a commit to web-platform-tests/wpt that referenced this issue Jan 6, 2025
…49920)

This verifies some API for ParentNode/ChildNode [1] [2] don't do any
check for trusted types. This might already be covered by IDL tests but
we just perform a direct verification here. This test fails in Chromium,
which is not aligned with the DOM spec here [3] and performs specific
checks for HTML script elements. Chromium also implements similar
behavior for `ChildNodePart.replaceChildren()` but that's currently not
shipped [4].

[1] https://dom.spec.whatwg.org/#interface-parentnode
[2] https://dom.spec.whatwg.org/#interface-childnode
[3] w3c/trusted-types#494 (comment)
[4] https://groups.google.com/a/chromium.org/g/blink-dev/c/wIADRnljZDA/m/whzEaaAADAAJ
@fred-wang
Copy link
Collaborator

Everything that is implemented in Gecko or WebKit is covered by one of the spec at #494 (comment) but Chromium still seems to implement legacy stuff (probably we should write some tests to verify these are not valid sinks).

Tests added in web-platform-tests/wpt#49920 for ParentNode/ChildNode and support remove from Chromium for DOM parts in https://chromium-review.googlesource.com/c/chromium/src/+/6150068.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants