Add more Trusted Types enforcement tests testing a source text transformed by the default policy.

This verifies that the source text transformed by the default policy is used
for various steps of "prepare the script element":

https://html.spec.whatwg.org/#prepare-the-script-element
PR w3c/trusted-types#579

Differential Revision: https://phabricator.services.mozilla.com/D251456

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1968383
gecko-commit: b40ba3e6cd668c9890ed7e4c6bdfdf2ee60cbcc4
gecko-reviewers: smaug

Author: fred-wang

trusted-types/script-enforcement-005.html

@@ -0,0 +1,78 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/namespaces.js"></script>
+<script src="support/passthroughpolicy.js"></script>
+<script src="support/script-messages.js"></script>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts">
+<link rel="help" href="https://html.spec.whatwg.org/#prepare-the-script-element">
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
+<!-- This test covers the following step from the "prepare the script element"
+     algorithm, verifying that "source text" is the one after application of
+     the default policy: "If el has no src attribute, and source text is the
+     empty string, then return." -->
+<div id="htmlContainer">
+  <script id="scriptToCreateNonEmptyHTMLScript" type="unknown">;</script>
+</div>
+<svg id="svgContainer">
+  <script id="scriptToCreateNonEmptySVGScript" type="unknown">;</script>
+</svg>
+<script>
+  // Define a default policy that transforms empty script string to some source
+  // logging a RUN message and other script strings to empty.
+  trustedTypes.createPolicy("default", {
+    createScript: (value, _, sink) => {
+      window.log_message("CREATE_SCRIPT");
+      window.log_message(sink);
+      return value.length ? "" : LOG_RUN_MESSAGE;
+    }
+  });
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      // Current version of the specification requires the script text to change
+      // in order to force a call to the default policy callback with sink
+      // "HTMLScriptElement text". If the following PR is accepted, this could
+      // be simplified to create_html_script_with_untrusted_source_text("").
+      // https://github.com/w3c/trusted-types/pull/579
+      let script = document.getElementById("scriptToCreateNonEmptyHTMLScript");
+      script.remove();
+      script.removeAttribute("type");
+      script.firstChild.remove();
+      htmlContainer.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "RUN"]);
+  }, "Empty HTMLScriptElement is executed if the default policy makes it non-empty.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      let script = create_html_script_with_untrusted_source_text(LOG_RUN_MESSAGE);
+      htmlContainer.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text"]);
+
+  }, "Non-empty HTMLScriptElement is not executed if the default policy makes it empty.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      // Note: Using create_html_script_with_untrusted_source_text("") may not
+      // guarantee the script to be untrusted for implementations using a
+      // script-based enforcement mechanism. So make sure we do modify the text.
+      let script = document.getElementById("scriptToCreateNonEmptySVGScript");
+      script.remove();
+      script.removeAttribute("type");
+      script.firstChild.remove();
+      svgContainer.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "RUN"]);
+  }, "Empty SVGScriptElement is executed if the default policy makes it non-empty.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      let script = create_svg_script_with_untrusted_source_text(LOG_RUN_MESSAGE);
+      svgContainer.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text"]);
+
+  }, "Non-empty SVGScriptElement is not executed if the default policy makes it empty.");
+</script>

trusted-types/script-enforcement-006.html

@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/namespaces.js"></script>
+<script src="support/passthroughpolicy.js"></script>
+<script src="support/script-messages.js"></script>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts">
+<link rel="help" href="https://html.spec.whatwg.org/#prepare-the-script-element">
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+<!-- This test covers the following step from the "prepare the script element"
+     algorithm, verifying that "source text" is the one after application of
+     the default policy: "If el does not have a src content attribute: ...
+     Switch on el's type:" -->
+<div id="container"></div>
+<script>
+  const logMessageModulePath = "./support/logMessage-module.sub.js";
+
+  // Define a default policy that transforms the script's type to some valid
+  // source content.
+  trustedTypes.createPolicy("default", {
+    createScript: (value, _, sink) => {
+      window.log_message("CREATE_SCRIPT");
+      window.log_message(sink);
+      switch (value) {
+      case "classic":
+        return `window.log_message('CLASSIC');`;
+      case "module":
+        return `window.log_message('MODULE');`;
+      case "importmap":
+        return `{ "imports": { "${logMessageModulePath}?message=UNMAPPED": "${logMessageModulePath}?message=IMPORTMAP" }}`;
+      }
+    }
+  });
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      let script = create_html_script_with_untrusted_source_text("classic");
+      script.setAttribute("type", "application/ecmascript");
+      // Appending the script will log "CLASSIC".
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "CLASSIC"]);
+  }, "Untrusted HTMLScriptElement with classic type uses the source text returned by the default policy.");
+
+  // Firefox disallows import map after a module load, so place this promise
+  // test before the module test.
+  // See https://bugzilla.mozilla.org/show_bug.cgi?id=1916277#c4
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_html_script_with_untrusted_source_text("importmap");
+      script.setAttribute("type", "importmap");
+
+      // Appending the script sets up an import map for logMessageModulePath.
+      container.appendChild(script);
+
+      // Importing logMessageModulePath will log message "IMPORTMAP"
+      await import(`${logMessageModulePath}?message=UNMAPPED`);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "IMPORTMAP"]);
+  }, "Untrusted HTMLScriptElement of importmap type uses the source text returned by the default policy.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_html_script_with_untrusted_source_text("module");
+      script.setAttribute("type", "module");
+
+      // Appending the script will log message "MODULE"
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "MODULE"]);
+  }, "Untrusted HTMLScriptElement of module type uses the source text returned by the default policy.");
+</script>

trusted-types/script-enforcement-007.html

@@ -0,0 +1,69 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/namespaces.js"></script>
+<script src="support/passthroughpolicy.js"></script>
+<script src="support/script-messages.js"></script>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts">
+<link rel="help" href="https://html.spec.whatwg.org/#prepare-the-script-element">
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+<!-- This is the same test as script-enforcement-006 but for SVGScriptElement. -->
+<svg id="container"></svg>
+<script>
+  const logMessageModulePath = "./support/logMessage-module.sub.js";
+
+  // Define a default policy that transforms the script's type to some valid
+  // source content.
+  trustedTypes.createPolicy("default", {
+    createScript: (value, _, sink) => {
+      window.log_message("CREATE_SCRIPT");
+      window.log_message(sink);
+      switch (value) {
+      case "classic":
+        return `window.log_message('CLASSIC');`;
+      case "module":
+        return `window.log_message('MODULE');`;
+      case "importmap":
+        return `{ "imports": { "${logMessageModulePath}?message=UNMAPPED": "${logMessageModulePath}?message=IMPORTMAP" }}`;
+      }
+    }
+  });
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      let script = create_svg_script_with_untrusted_source_text("classic");
+      script.setAttribute("type", "application/ecmascript");
+      // Appending the script will log "CLASSIC".
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "CLASSIC"]);
+  }, "Untrusted SVGScriptElement with classic type uses the source text returned by the default policy.");
+
+  // Firefox disallows import map after a module load, so place this promise
+  // test before the module test.
+  // See https://bugzilla.mozilla.org/show_bug.cgi?id=1916277#c4
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_svg_script_with_untrusted_source_text("importmap");
+      script.setAttribute("type", "importmap");
+
+      // Appending the script sets up an import map for logMessageModulePath.
+      container.appendChild(script);
+
+      // Importing logMessageModulePath will log message "IMPORTMAP".
+      await import(`${logMessageModulePath}?message=UNMAPPED`);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "IMPORTMAP"]);
+  }, "Untrusted SVGScriptElement of importmap type uses the source text returned by the default policy.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_svg_script_with_untrusted_source_text("module");
+      script.setAttribute("type", "module");
+
+      // Appending the script will log message "MODULE".
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "MODULE"]);
+  }, "Untrusted SVGScriptElement of module type uses the source text returned by the default policy.");
+</script>

trusted-types/script-enforcement-008.https.html

@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/namespaces.js"></script>
+<script src="support/passthroughpolicy.js"></script>
+<script src="support/script-messages.js"></script>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts">
+<link rel="help" href="https://html.spec.whatwg.org/#prepare-the-script-element">
+<link rel="help" href="https://w3c.github.io/webappsec-csp/#should-block-inline">
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+<meta id="metaTagForScriptSrc" http-equiv="Content-Security-Policy" content="script-src 'nonce-script-messages' 'nonce-self' 'sha256-IpCtvKVFQbqDBhwCvQEsZoqgVXvAd6T2uRWd/Pz7FuI=' 'sha256-xanaWuoRdfLzI0+K8zpwr8eHi4RK2P6GglgCFXv0r00=' 'sha256-BPWjrQT1GMyyQ+6Fmycn7pSqh8L945ToMJ/nfGClLBc='">
+<!-- This test covers the following step from the "prepare the script element"
+     algorithm, verifying that "source text" is the one after application of
+     the default policy: "If el does not have a src content attribute, and the
+     Should element's inline behavior be blocked by Content Security Policy?
+     algorithm returns "Blocked" when given el, "script", and source text, then
+     return." -->
+<div id="container"></div>
+<script nonce="self">
+  const logMessageModulePath = "./support/logMessage-module.sub.js";
+
+  // Define a default policy that transforms the script's type to some valid
+  // source content.
+  function scriptTypeToValue(value) {
+    switch (value) {
+    case "classic":
+      return `window.log_message('CLASSIC');`;
+    case "module":
+      return `window.log_message('MODULE');`;
+    case "importmap":
+      return `{ "imports": { "${logMessageModulePath}?message=UNMAPPED": "${logMessageModulePath}?message=IMPORTMAP" }}`;
+    }
+  }
+  trustedTypes.createPolicy("default", {
+    createScript: (value, _, sink) => {
+      window.log_message("CREATE_SCRIPT");
+      window.log_message(sink);
+      return scriptTypeToValue(value);
+    }
+  });
+
+  promise_test(async t => {
+    let classicHash = await base64_hash_for_inline_script(scriptTypeToValue("classic"), "SHA-256");
+    let moduleHash = await base64_hash_for_inline_script(scriptTypeToValue("module"), "SHA-256");
+    let importmapHash = await base64_hash_for_inline_script(scriptTypeToValue("importmap"), "SHA-256");
+    let metaTagContent = document.getElementById("metaTagForScriptSrc").getAttribute("content");
+    assert_equals(metaTagContent, `script-src 'nonce-script-messages' 'nonce-self' 'sha256-${classicHash}' 'sha256-${moduleHash}' 'sha256-${importmapHash}'`);
+  }, "script-src CSP directive is properly set.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      let script = create_html_script_with_untrusted_source_text("classic");
+      script.setAttribute("type", "application/ecmascript");
+      // Appending the script will log "CLASSIC".
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "CLASSIC"]);
+  }, "Untrusted HTMLScriptElement with classic type uses the source text returned by the default policy for inline CSP check.");
+
+  // Firefox disallows import map after a module load, so place this promise
+  // test before the module test.
+  // See https://bugzilla.mozilla.org/show_bug.cgi?id=1916277#c4
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_html_script_with_untrusted_source_text("importmap");
+      script.setAttribute("type", "importmap");
+
+      // Appending the script sets up an import map for logMessageModulePath.
+      container.appendChild(script);
+
+      // Importing logMessageModulePath will log message "IMPORTMAP"
+      await import(`${logMessageModulePath}?message=UNMAPPED`);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "IMPORTMAP"]);
+  }, "Untrusted HTMLScriptElement of importmap type uses the source text returned by the default policy for inline CSP check.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_html_script_with_untrusted_source_text("module");
+      script.setAttribute("type", "module");
+
+      // Appending the script will log message "MODULE"
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "HTMLScriptElement text", "MODULE"]);
+  }, "Untrusted HTMLScriptElement of module type uses the source text returned by the default policy for inline CSP check.");
+</script>

trusted-types/script-enforcement-009.https.html

@@ -0,0 +1,82 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/namespaces.js"></script>
+<script src="support/passthroughpolicy.js"></script>
+<script src="support/script-messages.js"></script>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts">
+<link rel="help" href="https://html.spec.whatwg.org/#prepare-the-script-element">
+<link rel="help" href="https://w3c.github.io/webappsec-csp/#should-block-inline">
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+<meta id="metaTagForScriptSrc" http-equiv="Content-Security-Policy" content="script-src 'nonce-script-messages' 'nonce-self' 'sha256-IpCtvKVFQbqDBhwCvQEsZoqgVXvAd6T2uRWd/Pz7FuI=' 'sha256-xanaWuoRdfLzI0+K8zpwr8eHi4RK2P6GglgCFXv0r00=' 'sha256-BPWjrQT1GMyyQ+6Fmycn7pSqh8L945ToMJ/nfGClLBc='">
+<!-- This is the same test as script-enforcement-008 but for SVGScriptElement. -->
+<svg id="container"></svg>
+<script nonce="self">
+  const logMessageModulePath = "./support/logMessage-module.sub.js";
+
+  // Define a default policy that transforms the script's type to some valid
+  // source content.
+  function scriptTypeToValue(value) {
+    switch (value) {
+    case "classic":
+      return `window.log_message('CLASSIC');`;
+    case "module":
+      return `window.log_message('MODULE');`;
+    case "importmap":
+      return `{ "imports": { "${logMessageModulePath}?message=UNMAPPED": "${logMessageModulePath}?message=IMPORTMAP" }}`;
+    }
+  }
+  trustedTypes.createPolicy("default", {
+    createScript: (value, _, sink) => {
+      window.log_message("CREATE_SCRIPT");
+      window.log_message(sink);
+      return scriptTypeToValue(value);
+    }
+  });
+
+  promise_test(async t => {
+    let classicHash = await base64_hash_for_inline_script(scriptTypeToValue("classic"), "SHA-256");
+    let moduleHash = await base64_hash_for_inline_script(scriptTypeToValue("module"), "SHA-256");
+    let importmapHash = await base64_hash_for_inline_script(scriptTypeToValue("importmap"), "SHA-256");
+    let metaTagContent = document.getElementById("metaTagForScriptSrc").getAttribute("content");
+    assert_equals(metaTagContent, `script-src 'nonce-script-messages' 'nonce-self' 'sha256-${classicHash}' 'sha256-${moduleHash}' 'sha256-${importmapHash}'`);
+  }, "script-src CSP directive is properly set.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(_ => {
+      let script = create_svg_script_with_untrusted_source_text("classic");
+      script.setAttribute("type", "application/ecmascript");
+      // Appending the script will log "CLASSIC".
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "CLASSIC"]);
+  }, "Untrusted SVGScriptElement with classic type uses the source text returned by the default policy for inline CSP check.");
+
+  // Firefox disallows import map after a module load, so place this promise
+  // test before the module test.
+  // See https://bugzilla.mozilla.org/show_bug.cgi?id=1916277#c4
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_svg_script_with_untrusted_source_text("importmap");
+      script.setAttribute("type", "importmap");
+
+      // Appending the script sets up an import map for logMessageModulePath.
+      container.appendChild(script);
+
+      // Importing logMessageModulePath will log message "IMPORTMAP"
+      await import(`${logMessageModulePath}?message=UNMAPPED`);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "IMPORTMAP"]);
+  }, "Untrusted SVGScriptElement of importmap type uses the source text returned by the default policy for inline CSP check.");
+
+  promise_test(async t => {
+    let messages = await script_messages_for(async _ => {
+      let script = create_svg_script_with_untrusted_source_text("module");
+      script.setAttribute("type", "module");
+
+      // Appending the script will log message "MODULE"
+      container.appendChild(script);
+    });
+    assert_array_equals(messages, ["CREATE_SCRIPT", "SVGScriptElement text", "MODULE"]);
+  }, "Untrusted SVGScriptElement of module type uses the source text returned by the default policy for inline CSP check.");
+</script>

trusted-types/support/logMessage-module.sub.js

@@ -0,0 +1 @@
+window.log_message("{{GET[message]}}");