Fix mistakes in Element-setAttribute-respects-Elements-node-documents-globals-CSP-after-adoption-from-non-TT-realm.html.

fred-wang · moz-wptsync-bot · commit 7bd6ffc4ff27 · 2025-02-28T20:16:14.000Z
See #44323 (comment) Also add a more direct test for the TypeError realm. Differential Revision: https://phabricator.services.mozilla.com/D239894 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1950626 gecko-commit: cfc415b178e0e9719e0124df703b3125d1484251 gecko-reviewers: smaug
diff --git a/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP-after-adoption-from-non-TT-realm.html b/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP-after-adoption-from-non-TT-realm.html
@@ -33,10 +33,22 @@
         async_test(
           (t) => {
             const sourceFrame = document.createElement("iframe");
+            t.add_cleanup(() => {
+              sourceFrame.remove();
+            });
 
-            // The markup requires the parent element to ensure the attribute is associated with the
-            // correct namespace.
-            sourceFrame.srcdoc = passThroughPolicy.createHTML(
+            // We cannot directly set the iframe's srcdoc otherwise its CSP
+            // would be inherited from the main frame.
+            // See https://w3c.github.io/webappsec-csp/#security-inherit-csp
+            sourceFrame.src = "/common/blank.html";
+            sourceFrame.addEventListener(
+              "load",
+              t.step_func_done(() => {
+                let sourceFrameDocument = sourceFrame.contentWindow.document;
+                sourceFrameDocument.open();
+                // The markup requires the parent element to ensure the attribute
+                // is associated with the correct namespace.
+                sourceFrameDocument.write(passThroughPolicy.createHTML(
               `<!DOCTYPE html>
             <head>
             <meta charset="utf-8">
@@ -60,15 +72,9 @@
                 `>
             doc without TT CSP.
             </body>`
-            );
-
-            t.add_cleanup(() => {
-              sourceFrame.remove();
-            });
+                ));
+                sourceFrameDocument.close();
 
-            sourceFrame.addEventListener(
-              "load",
-              t.step_func_done(() => {
                 // A window is a global object which has 1-to-1 mapping to a realm, see the first
                 // note of <https://html.spec.whatwg.org/#realms-settings-objects-global-objects>
                 // and its following paragraph. Here, `sourceElement`'s node document's global
@@ -83,6 +89,19 @@
                 );
                 sourceElement.removeAttributeNode(sourceAttr);
 
+                // Sanity check: setting the attribute to a plain string does not
+                // throw since `sourceElement`'s node document is associated to
+                // a non-TT realm.
+                let unsafeAttr = document.createAttributeNS(
+                  sourceAttr.namespaceURI, sourceAttr.name);
+                unsafeAttr.value = "unsafe1";
+                sourceElement.setAttributeNode(unsafeAttr);
+                sourceElement.setAttributeNS(
+                  sourceAttr.namespaceURI,
+                  sourceAttr.name,
+                  "unsafe2"
+                );
+
                 document.body.append(sourceElement);
                 // Now `sourceElement`'s node document's global should belong to
                 // a TT-realm.
@@ -92,10 +111,10 @@
                 // invokes <https://www.w3.org/TR/trusted-types/#validate-attribute-mutation>.
                 // The latter should throw when executing step 5.
 
-                assert_throws_js(sourceFrame.contentWindow.TypeError, () => {
+                assert_throws_js(TypeError, () => {
                   sourceElement.setAttributeNode(sourceAttr);
                 });
-                assert_throws_js(sourceFrame.contentWindow.TypeError, () => {
+                assert_throws_js(TypeError, () => {
                   sourceElement.setAttributeNS(
                     sourceAttr.namespaceURI,
                     sourceAttr.name,
diff --git a/trusted-types/require-trusted-types-for-TypeError-belongs-to-the-global-object-realm.html b/trusted-types/require-trusted-types-for-TypeError-belongs-to-the-global-object-realm.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script';"/>
+<link rel="help" href="https://github.com/web-platform-tests/wpt/issues/45405">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id="divInsertedByParser"></div>
+<script>
+  test( _ => {
+    assert_throws_js(TypeError, _ => divInsertedByParser.innerHTML = 'unsafe');
+  }, "Setting innerHTML on a node inserted by the parser.");
+
+  promise_test(async t => {
+    const iframe = document.createElement("iframe");
+    const passThroughPolicy =
+          trustedTypes.createPolicy("passThrough", { createHTML: s => s });
+    iframe.srcdoc = passThroughPolicy.createHTML("<!DOCTYPE html><div></div>");
+    await new Promise(resolve => {
+      iframe.addEventListener("load", resolve);
+      document.body.appendChild(iframe);
+    });
+    const divAdoptedFromIframe =
+          document.adoptNode(iframe.contentDocument.body.firstElementChild);
+    assert_throws_js(TypeError, _ => divAdoptedFromIframe.innerHTML = 'unsafe');
+  }, "Setting innerHTML on a node adopted from a subframe.");
+</script>
