Ensure element's namespace is HTML, SVG or MathML before TT check for event handler attribute.

See w3c/trusted-types#578

Differential Revision: https://phabricator.services.mozilla.com/D239724

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1950582
gecko-commit: e51862a3ae02677d09e17aa99baa8ec6ed18678a
gecko-reviewers: smaug

Author: fred-wang

trusted-types/TrustedTypePolicyFactory-getAttributeType-event-handler-content-attributes.tentative.html

@@ -14,7 +14,7 @@
       promise_test(async () => {
         NSURI_ARRAY.forEach(attrNs => {
           assert_equals(trustedTypes.getAttributeType(
-            "dummy", attr.name, "dummyNs", attrNs),
+            "dummy", attr.name, NSURI_HTML, attrNs),
             attrNs === NSURI_EMPTY ? "TrustedScript" : null,
             `for attrNs='${attrNs}'`);
         });

trusted-types/support/attributes.js

@@ -51,13 +51,6 @@ const trustedTypeDataForAttribute = [
     type: "TrustedScript",
     sink: "Element onmousedown"
   },
-  {
-    element: _ => document.createElementNS(NSURI_FOO, "foo"),
-    attrNS: null,
-    attrName: "onmouseup",
-    type: "TrustedScript",
-    sink: "Element onmouseup"
-  },
   {
     element: _ => document.createElement("iframe"),
     attrNS: null,
@@ -87,6 +80,13 @@ const trustedTypeDataForAttribute = [
     sink: "SVGScriptElement href",
   },
   // Below are some cases that are not trusted type sinks.
+  // event handler attribute name with element in non-HTML/SVG/MathML namespace.
+  {
+    element: _ => document.createElementNS(NSURI_FOO, "foo"),
+    attrNS: null,
+    attrName: "onmouseup",
+    type: null,
+  },
   {
     // event handler attribute name with non-null namespace.
     element: _ => document.createElement("div"),