Test TT is not enforced when taking an element out of a TT realm to a non-TT realm.

See discussions at w3c/trusted-types#425 (comment).

Author: ziransun

trusted-types/Element-setAttribute-not-enforced-in-non-TT-documents-globals-CSP.html

@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <script>
+      const iframePolicy = trustedTypes.createPolicy("iframePolicy", {
+        createHTML: (s) => s,
+      });
+
+      const iframe_srcdoc = `
+      <!DOCTYPE html>
+        <head>
+        <meta charset="utf-8">
+        <meta
+        http-equiv="Content-Security-Policy"
+        content="require-trusted-types-for 'script';"
+        />
+      </head>
+        <body>
+          <div id="nonSVGTestElements">
+            <iframe id="iframe-srcdoc" srcdoc="v"></iframe>
+            <script id="script-src" src="v"><\/script>
+          </div>
+          <svg id="svgTestElements">
+            <script id="script-href" href="v"><\/script>
+            <script id="script-xlinkhref" xlink:href="v"><\/script>
+          </svg>
+      </body>`;
+
+      // TODO: Add xlink:href case. It fails getting testAttr in the test script below.
+      const testCases = ["iframe-srcdoc", "script-src", "script-href"];
+
+      const sourceFrame = document.createElement("iframe");
+      sourceFrame.srcdoc = iframePolicy.createHTML(
+        iframe_srcdoc
+      );
+      document.body.append(sourceFrame);
+
+      async_test(
+        (t) => {
+          t.add_cleanup(() => {
+              sourceFrame.remove();
+            });
+
+          sourceFrame.addEventListener(
+            "load",
+            t.step_func_done(() => {
+              testCases.forEach(c => {
+                const aTestElement  = sourceFrame.contentWindow.document.getElementById(c);
+                const testAttr = aTestElement.attributes[1];
+                const sourceElement =
+                          sourceFrame.contentDocument.body.querySelector(
+                            aTestElement.localName
+                          );
+                const sourceAttr = sourceElement.getAttributeNode(
+                  testAttr.name
+                );
+                sourceElement.removeAttributeNode(sourceAttr);
+                // Now `sourceElement`'s node document's global belongs to a non TT-realm.
+                document.body.append(sourceElement);
+                sourceElement.setAttributeNode(sourceAttr);
+                sourceElement.setAttributeNS(sourceAttr.namespaceURI, sourceAttr.name, sourceAttr.value);
+                let attr_node = sourceElement.getAttributeNodeNS(sourceAttr.namespaceURI, sourceAttr.name);
+                assert_equals(attr_node.value + "", "v");
+            });
+          })
+        );
+      }, `setAttribute and setAttributeNode are not is no longer enforced while being taken out to a non-TT realm.`);
+    </script>
+  </body>
+</html>