Add test for importing a `srcdoc` attribute node from a non-TT realm to a TT iframe element throws #44323

ghost · 2024-01-31T15:30:28Z

First step to fix w3c/trusted-types#425.

Will add separate commits for the other tests requested at above ticket.

ghost · 2024-02-01T14:59:21Z

Stumbled on #44352, which either needs to be fixed or worked around.

… the new test

…l> and further simplify it

…s created in a non-TT enforcing realm are imported to a TT-enforcing realm See <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>. This excludes tests for <https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-event-handler-content-attributes> which will have to be added once that part of the spec is propagated to the HTML spec. The remaining tests mentioned at <w3c/trusted-types#425 (comment)> will be added in separate commits.

…ment`'s and `sourceAttr`s realms differ

…e element's node document's global's CSP Requires #45405 to be fixed.

annevk

Thanks, this looks like the correct test.

I wonder if we should also test the inverse. That when you take an element out of a TT global, TT is no longer enforced for it.

ghost · 2024-04-11T13:29:36Z

Thanks, this looks like the correct test.

I wonder if we should also test the inverse. That when you take an element out of a TT global, TT is no longer enforced for it.

I don't know how relevant that scenario is.

@koto: any experience with that?

annevk · 2024-04-11T17:05:53Z

It's relevant for ensuring the specification is implemented correctly.

ghost · 2024-04-15T08:35:05Z

It's relevant for ensuring the specification is implemented correctly.

True; but is that scenario actually relevant in practice?

annevk · 2024-04-15T08:58:48Z

That does not matter for conformance tests. The whole point is that we can't know what websites might do and might rely on.

ghost · 2024-04-15T10:10:32Z

That does not matter for conformance tests. The whole point is that we can't know what websites might do and might rely on.

Agreed. Added w3c/trusted-types#425 (comment) so that another test will be added.

ghost · 2024-04-15T10:11:26Z

@annevk: can you please merge this test, I lack rights.

fred-wang · 2025-02-27T11:19:31Z

For future reference, this test has the following issues:

It's relying on iframes with srcdoc attribute, so per https://w3c.github.io/webappsec-csp/#security-inherit-csp they are inheriting the CSP policy from the main frame which contains a require-trusted-types-for directive. So we are actually moving from a TT realm to another TT realm, which is not what the test means to check. If you remove the document.body.append(sourceElement) line, you see that the setAttribute* calls continue to assert (which shouldn't be the case if they were in a non-TT realm)
assert_throws_js is expecting the iframe realm's TypeError rather than the main frame realm's TypeError. IIUC this was changed after discussion on assert_throws_js fails for an element adopted from an iframe #45405 but I believe this is wrong: assert_throws_js fails for an element adopted from an iframe #45405 (comment)

I'll fix the test in https://bugzilla.mozilla.org/show_bug.cgi?id=1950626, probably moving the "which realm the TypeError is coming from" check into a separate test since that was not really what the initial test meant to check anyway.

…-globals-CSP-after-adoption-from-non-TT-realm.html. See #44323 (comment) Also add a more direct test for the TypeError realm. Differential Revision: https://phabricator.services.mozilla.com/D239894 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1950626 gecko-commit: cfc415b178e0e9719e0124df703b3125d1484251 gecko-reviewers: smaug

…de-documents-globals-CSP-after-adoption-from-non-TT-realm.html. r=smaug See web-platform-tests/wpt#44323 (comment) Also add a more direct test for the TypeError realm. Differential Revision: https://phabricator.services.mozilla.com/D239894

…-globals-CSP-after-adoption-from-non-TT-realm.html. See #44323 (comment) Also add a more direct test for the TypeError realm. Differential Revision: https://phabricator.services.mozilla.com/D239894 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1950626 gecko-commit: cfc415b178e0e9719e0124df703b3125d1484251 gecko-reviewers: smaug

…de-documents-globals-CSP-after-adoption-from-non-TT-realm.html. r=smaug See web-platform-tests/wpt#44323 (comment) Also add a more direct test for the TypeError realm. Differential Revision: https://phabricator.services.mozilla.com/D239894 UltraBlame original commit: cfc415b178e0e9719e0124df703b3125d1484251

…de-documents-globals-CSP-after-adoption-from-non-TT-realm.html. r=smaug See web-platform-tests/wpt#44323 (comment) Also add a more direct test for the TypeError realm. Differential Revision: https://phabricator.services.mozilla.com/D239894

wpt-pr-bot added trusted-types wg-s_webappsec labels Jan 31, 2024

wpt-pr-bot assigned mikewest Jan 31, 2024

wpt-pr-bot requested a review from mikewest January 31, 2024 15:30

Mirko Brodesser added 9 commits April 8, 2024 11:46

Schedule the new test before a default policy is created and simplify…

d120fc8

… the new test

Move test to <block-string-assignment-to-Element-setAttributeNode.htm…

2c2ea19

…l> and further simplify it

Add TODO

aeed729

Change test to check aTestElement's ownerDocument equals document

4a9e49c

Refactor test to use the XLink namespace for SVG's script element

d615169

Remove unnecessary assertions and explain in a comment that `aTestEle…

26c25f9

…ment`'s and `sourceAttr`s realms differ

Change test to check setAttributeNode and setAttribute respect th…

b617318

…e element's node document's global's CSP Requires #45405 to be fixed.

Use sourceFrame.contentWindow's TyperError constructor

dfd95a9

annevk approved these changes Apr 11, 2024

View reviewed changes

annevk merged commit 560c8d6 into web-platform-tests:master Apr 15, 2024

moz-wptsync-bot added mozilla:gecko-blocked and removed mozilla:gecko-blocked labels Apr 15, 2024

moz-wptsync-bot mentioned this pull request Feb 28, 2025

[Gecko Bug 1950626] Fix mistakes in Element-setAttribute-respects-Elements-node-documents-globals-CSP-after-adoption-from-non-TT-realm.html. #51019

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add test for importing a `srcdoc` attribute node from a non-TT realm to a TT iframe element throws #44323

Add test for importing a `srcdoc` attribute node from a non-TT realm to a TT iframe element throws #44323

Uh oh!

ghost commented Jan 31, 2024

Uh oh!

ghost commented Feb 1, 2024

Uh oh!

annevk left a comment

Uh oh!

ghost commented Apr 11, 2024

Uh oh!

annevk commented Apr 11, 2024

Uh oh!

ghost commented Apr 15, 2024

Uh oh!

annevk commented Apr 15, 2024

Uh oh!

ghost commented Apr 15, 2024

Uh oh!

ghost commented Apr 15, 2024

Uh oh!

fred-wang commented Feb 27, 2025

Uh oh!

Uh oh!

Add test for importing a srcdoc attribute node from a non-TT realm to a TT iframe element throws #44323

Add test for importing a srcdoc attribute node from a non-TT realm to a TT iframe element throws #44323

Uh oh!

Conversation

ghost commented Jan 31, 2024

Uh oh!

ghost commented Feb 1, 2024

Uh oh!

annevk left a comment

Choose a reason for hiding this comment

Uh oh!

ghost commented Apr 11, 2024

Uh oh!

annevk commented Apr 11, 2024

Uh oh!

ghost commented Apr 15, 2024

Uh oh!

annevk commented Apr 15, 2024

Uh oh!

ghost commented Apr 15, 2024

Uh oh!

ghost commented Apr 15, 2024

Uh oh!

fred-wang commented Feb 27, 2025

Uh oh!

Uh oh!

Add test for importing a `srcdoc` attribute node from a non-TT realm to a TT iframe element throws #44323

Add test for importing a `srcdoc` attribute node from a non-TT realm to a TT iframe element throws #44323