Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D251094

Author: fred-wang

testing/web-platform/meta/trusted-types/script-enforcement-001-outerHTML.xhtml.ini

@@ -0,0 +1,3 @@
+[script-enforcement-001-outerHTML.xhtml]
+  [Script source set via TrustedHTML sink Element.outerHTML drops trustworthiness.]
+    expected: FAIL

testing/web-platform/meta/trusted-types/script-enforcement-001.html.ini

@@ -0,0 +1,78 @@
+[script-enforcement-001.html]
+  [Script source set via TrustedHTML sink Element.innerHTML drops trustworthiness.]
+    expected: FAIL
+
+  [Script source set via TrustedHTML sink Element.setHTMLUnsafe() drops trustworthiness.]
+    expected: FAIL
+
+  [Script source set via Node.nodeValue drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.data drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.appendData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.insertData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.replaceData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.deleteData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.before() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.after() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.remove() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.replaceWith() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.appendChild() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.insertBefore() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.replaceChild() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.removeChild() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.prepend() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.append() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.replaceChildren() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.moveBefore() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via TrustedHTML sink Node.insertAdjacentHTML() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.insertAdjacentText() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Range.insertNode() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Range.deleteContents() drops trustworthiness.]
+    expected: FAIL
+
+  [Cloning a script via Node.cloneNode() drops trustworthiness.]
+    expected: FAIL
+
+  [Cloning a script via Range.cloneContents() drops trustworthiness.]
+    expected: FAIL

testing/web-platform/meta/trusted-types/script-enforcement-002-outerHTML.xhtml.ini

@@ -0,0 +1,3 @@
+[script-enforcement-002-outerHTML.xhtml]
+  [Default policy's calls when setting script source via Element.outerHTML.]
+    expected: FAIL

testing/web-platform/meta/trusted-types/script-enforcement-002.html.ini

@@ -0,0 +1,78 @@
+[script-enforcement-002.html]
+  [Default policy's calls when setting script source via Element.innerHTML.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.setHTMLUnsafe().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.nodeValue.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.data.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.appendData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.insertData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.replaceData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.deleteData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.before().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.after().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.remove().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.replaceWith().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.appendChild().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.insertBefore().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.replaceChild().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.removeChild().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.prepend().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.append().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.replaceChildren().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.moveBefore().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.insertAdjacentText().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.insertAdjacentHTML().]
+    expected: FAIL
+
+  [Default policy's calls when setting source via Range.insertNode().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Range.deleteContents().]
+    expected: FAIL
+
+  [Default policy's calls when cloning a script via Node.cloneNode().]
+    expected: FAIL
+
+  [Default policy's calls when cloning a script via Range.cloneContents().]
+    expected: FAIL

testing/web-platform/meta/trusted-types/script-enforcement-003.html.ini

@@ -0,0 +1,84 @@
+[script-enforcement-003.html]
+  [Script source set via Element.textContent drops trustworthiness.]
+    expected: FAIL
+
+  [Script source set via TrustedHTML sink Element.innerHTML drops trustworthiness.]
+    expected: FAIL
+
+  [Script source set via TrustedHTML sink Element.outerHTML drops trustworthiness.]
+    expected: FAIL
+
+  [Script source set via TrustedHTML sink Element.setHTMLUnsafe() drops trustworthiness.]
+    expected: FAIL
+
+  [Script source set via Node.nodeValue drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.data drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.appendData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.insertData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.replaceData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.deleteData() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.before() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.after() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.remove() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via CharacterData.replaceWith() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.appendChild() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.insertBefore() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.replaceChild() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.removeChild() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.prepend() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.append() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Element.replaceChildren() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via ElementmoveBefore() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via TrustedHTML sink Node.insertAdjacentHTML() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Node.insertAdjacentText() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Range.insertNode() drops trustworthiness.]
+    expected: FAIL
+
+  [Setting script source via Range.deleteContents() drops trustworthiness.]
+    expected: FAIL
+
+  [Cloning a script via Node.cloneNode() drops trustworthiness.]
+    expected: FAIL
+
+  [Cloning a script via Range.cloneContents() drops trustworthiness.]
+    expected: FAIL

testing/web-platform/meta/trusted-types/script-enforcement-004.html.ini

@@ -0,0 +1,84 @@
+[script-enforcement-004.html]
+  [Default policy's calls when setting script source via SVGScriptElement.textContent.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.innerHTML.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.outerHTML.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.setHTMLUnsafe().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.nodeValue.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.data.]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.appendData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.insertData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.replaceData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.deleteData().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.before().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.after().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.remove().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via CharacterData.replaceWith().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.appendChild().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.insertBefore().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.replaceChild().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.removeChild().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.prepend().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.append().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.replaceChildren().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Element.moveBefore().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.insertAdjacentText().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Node.insertAdjacentHTML().]
+    expected: FAIL
+
+  [Default policy's calls when setting source via Range.insertNode().]
+    expected: FAIL
+
+  [Default policy's calls when setting script source via Range.deleteContents().]
+    expected: FAIL
+
+  [Default policy's calls when cloning a script via Node.cloneNode().]
+    expected: FAIL
+
+  [Default policy's calls when cloning a script via Range.cloneContents().]
+    expected: FAIL

testing/web-platform/tests/trusted-types/script-enforcement-001-outerHTML.xhtml

@@ -0,0 +1,35 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/namespaces.js"></script>
+<script src="support/passthroughpolicy.js"></script>
+<script src="support/script-messages.js"></script>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts"/>
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';"/>
+</head>
+<body>
+  <!--- See script-enforcement-001.html an explanation of this test.
+      The HTML parser won't create a child element for the span child of
+      scriptForOuterHTMLTest below, so we instead rely on the XHTML parser.  -->
+<div>
+  <script id="scriptForOuterHTMLTest" type="unknown"><span></span></script>
+</div>
+<div id="container"></div>
+<script>
+  promise_test(async t => {
+    await promise_rejects_js(t, TypeError, script_messages_for(_ => {
+      document.createElement("script").outerHTML = LOG_RUN_MESSAGE;
+    }), "TrustedHTML required.");
+    await no_script_message_for(_ => {
+      let script = document.getElementById("scriptForOuterHTMLTest");
+      script.remove();
+      script.removeAttribute("type");
+      script.firstElementChild.outerHTML = passthroughpolicy.createHTML(LOG_RUN_MESSAGE);
+      document.getElementById("container").appendChild(script);
+    });
+  }, "Script source set via TrustedHTML sink Element.outerHTML drops trustworthiness.");
+</script>
+</body>
+</html>