Removed url-allow-http policy support. (#165)

This is linked to #65.
w3c · May 8, 2019 · f7297a0 · f7297a0
1 parent f4c35d0
commit f7297a0
Show file tree

Hide file tree

Showing 8 changed files with 55 additions and 196 deletions.
diff --git a/dist/es5/trustedtypes.build.js b/dist/es5/trustedtypes.build.js
diff --git a/dist/es5/trustedtypes.build.js.map b/dist/es5/trustedtypes.build.js.map
diff --git a/dist/es6/trustedtypes.build.js b/dist/es6/trustedtypes.build.js
diff --git a/dist/es6/trustedtypes.build.js.map b/dist/es6/trustedtypes.build.js.map
diff --git a/src/data/trustedtypeconfig.js b/src/data/trustedtypeconfig.js
@@ -25,16 +25,12 @@ export class TrustedTypeConfig {
    * @param {?string} fallbackPolicyName If present, direct DOM sink usage
    *   will be passed through this policy (has to be exposed).
    * @param {Array<string>} allowedPolicyNames Whitelisted policy names.
-   * @param {boolean=} allowHttpUrls if true, HTTP(s) urls will be transparently
-   *   treated like TrustedURLs. Applied only if enforcement or logging is
-   *   enabled.
    * @param {?string} cspString String with the CSP policy.
    */
   constructor(isLoggingEnabled,
       isEnforcementEnabled,
       fallbackPolicyName,
       allowedPolicyNames,
-      allowHttpUrls = false,
       cspString = null) {
     /**
       * True if logging is enabled.
@@ -60,12 +56,6 @@ export class TrustedTypeConfig {
      */
     this.allowedPolicyNames = allowedPolicyNames;
 
-    /**
-     * True if http(s) URLs should be implicitly treated as TrustedURLs.
-     * @type {boolean}
-     */
-    this.allowHttpUrls = allowHttpUrls;
-
     /**
      * CSP string that defined the policy.
      * @type {?string}
@@ -102,12 +92,9 @@ export class TrustedTypeConfig {
     const isLoggingEnabled = true;
     const policy = TrustedTypeConfig.parseCSP(cspString);
     const enforce = DIRECTIVE_NAME in policy;
-    let allowHttpUrls = false;
     let policies = ['*'];
     let fallbackPolicyName = 'default';
     if (enforce) {
-      allowHttpUrls = policy[DIRECTIVE_NAME]
-          .indexOf('\'url-allow-http\'') !== -1;
       policies = policy[DIRECTIVE_NAME].filter((p) => p.charAt(0) !== '\'');
     }
 
@@ -116,7 +103,6 @@ export class TrustedTypeConfig {
       enforce, /* isEnforcementEnabled */
       fallbackPolicyName, /* fallbackPolicyName */
       policies, /* allowedPolicyNames */
-      allowHttpUrls,
       cspString
     );
   }

diff --git a/src/enforcer.js b/src/enforcer.js
@@ -84,19 +84,6 @@ function parseUrl_(url) {
   }
 }
 
-/**
- * Checks if the URL is a HTTP(s) URL.
- * @param  {string}  url The URL to check.
- * @return {boolean} True iff the value is a http(s) URL.
- */
-function isHttpUrl_(url) {
-  const parsedUrl = parseUrl_(url);
-  if (!parsedUrl) {
-    return false;
-  }
-  return parsedUrl.protocol == 'http:' || parsedUrl.protocol == 'https:';
-}
-
 /**
  * A map of attribute names to allowed types.
  * @type {!Object<string, !Object<string, !Function>>}
@@ -734,17 +721,6 @@ export class TrustedTypesEnforcer {
       }
     }
 
-
-    // Apply url-allow-http
-    if (typeToEnforce === TrustedTypes.TrustedURL &&
-        this.config_.allowHttpUrls) {
-      const url = '' + value;
-      if (isHttpUrl_(url)) {
-        args[argNumber] = url;
-        return apply(originalSetter, context, args);
-      }
-    }
-
     // Apply a fallback policy, if it exists.
     const fallback = this.config_.fallbackPolicyName;
     if (fallback) {

diff --git a/tests/enforcer_test.js b/tests/enforcer_test.js
@@ -31,7 +31,6 @@ describe('TrustedTypesEnforcer', function() {
       /* isEnforcementEnabled */ true,
       /* fallbackPolicy */ null,
       /* allowedPolicyNames */ ['*'],
-      /* allowHttpUrls */ false,
       /* cspString */ 'script-src https:; trusted-types *'
       );
 
@@ -47,7 +46,6 @@ describe('TrustedTypesEnforcer', function() {
       /* isEnforcementEnabled */ false,
       /* fallbackPolicy */ null,
       /* allowedPolicyNames */ ['*'],
-      /* allowHttpUrls */ false,
       /* cspString */ 'script-src https:'
   );
 
@@ -520,96 +518,6 @@ describe('TrustedTypesEnforcer', function() {
     });
   });
 
-  describe('url-allow-http config', () => {
-    let enforcer;
-    let el;
-    let policy;
-
-    beforeEach(function() {
-      if (typeof window.URL !== 'function') {
-        // Skip on IE, url-allow-http relies on URL parsing.
-        pending();
-      }
-      el = document.createElement('a');
-      enforcer = new TrustedTypesEnforcer(new TrustedTypeConfig(
-      /* isLoggingEnabled */ false,
-      /* isEnforcementEnabled */ true,
-      /* fallbackPolicy */ null,
-      /* allowedPolicyNames */ ['*'],
-      /* allowHttpUrls */ true));
-      enforcer.install();
-      policy = TrustedTypes.createPolicy(Math.random(), noopPolicy);
-    });
-
-    afterEach(function() {
-      enforcer.uninstall();
-    });
-
-    it('allows typed values for url sinks', () => {
-      el.href = policy.createURL('http://example.com/');
-
-      expect(el.href).toEqual('http://example.com/');
-    });
-
-    it('allows typed values for with javascript: protocol', () => {
-      el.href = policy.createURL('javascript:alert(1)');
-
-      expect(el.href).toEqual('javascript:alert(1)');
-    });
-
-    it('allows strings with http urls', () => {
-      el.href = 'http://example.com/';
-
-      expect(el.href).toEqual('http://example.com/');
-    });
-
-    it('allows strings with https urls', () => {
-      el.href = 'https://example.com/';
-
-      expect(el.href).toEqual('https://example.com/');
-    });
-
-    it('allows strings with relative urls', () => {
-      el.href = 'foo/bar';
-
-      expect(el.href).toEqual(location.origin + '/foo/bar');
-    });
-
-    it('rejects strings with javascript: URLs', () => {
-      expect(() => {
-        el.href = 'javascript:alert(1)';
-      }).toThrowError(TypeError);
-
-      expect(el.href).toEqual('');
-    });
-
-    it('rejects strings with data: URLs', () => {
-      expect(() => {
-        el.href = 'data:text/html,<script>alert(1)</scrip' + 't>';
-      }).toThrowError(TypeError);
-
-      expect(el.href).toEqual('');
-    });
-
-    it('rejects malformed URLs', () => {
-      expect(() => {
-        el.href = 'https://example.com:demo';
-      }).toThrowError(TypeError);
-
-      expect(el.href).toEqual('');
-    });
-
-    it('rejects http urls for TrustedScriptURL sinks', () => {
-      const el = document.createElement('script');
-
-      expect(() => {
-        el.src = 'https://evil.com';
-      }).toThrowError(TypeError);
-
-      expect(el.src).toEqual('');
-    });
-  });
-
   describe('enforcement disables null assignments', function() {
     let enforcer;
 

diff --git a/tests/trustedtypeconfig_test.js b/tests/trustedtypeconfig_test.js
@@ -83,16 +83,6 @@ describe('TrustedTypeConfig', () => {
           .allowedPolicyNames).toEqual([]);
     });
 
-    it('does not allow http urls by default', () => {
-      expect(TrustedTypeConfig.fromCSP('trusted-types')
-          .allowHttpUrls).toEqual(false);
-    });
-
-    it('recognizes url-allow-http', () => {
-      expect(TrustedTypeConfig.fromCSP('trusted-types \'url-allow-http\'')
-          .allowHttpUrls).toEqual(true);
-    });
-
     it('passes the CSP string to config object', () => {
       const csp = 'trusted-types a b c; script-src foo';