Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add trusted types tests for setAttribute that are not sinks. #50295

Merged
merged 1 commit into from
Jan 28, 2025
Merged

Add trusted types tests for setAttribute that are not sinks. #50295

merged 1 commit into from
Jan 28, 2025

Conversation

fred-wang
Copy link
Contributor

@fred-wang fred-wang commented Jan 27, 2025
edited by lukewarlow
Loading

See w3c/trusted-types#520

Closes w3c/trusted-types#573

We add tests for:

  • Names that don't correspond to any event handler attribute.
  • Names that don't correspond to an event handler attribute on any element.
  • Names that don't correspond to an event handler attribute for the modified element.

@fred-wang
Add trusted types tests for setAttribute that are not sinks.
cd74df8 
See w3c/trusted-types#520

We add tests for:

- Names that don't correspond to any event handler attribute.
- Names that don't correspond to an event handler attribute on any element.
- Names that don't correspond to an event handler attribute for the modified element.
@fred-wang fred-wang requested a review from lukewarlow January 27, 2025 14:37
@wpt-pr-bot wpt-pr-bot requested a review from mikewest January 27, 2025 14:38
@fred-wang fred-wang mentioned this pull request Jan 27, 2025
Open
annevk
annevk approved these changes Jan 27, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @fred-wang, this looks great. I hope you don't mind I'm going to use this PR as a check-in on the overall semantics.

Also copying @mozfreddyb and @otherdaniel for that.

trusted-types/set-event-handlers-content-attributes.tentative.html
[
// The following names correspond to event handler content attributes, but
// not for the div element. The current version of the spec says we should
// still run the default policy on them.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also seems a bit weird on reflection, but I guess it's okay?

@domenic as you have dabbled a bit in event handler attributes I wonder what you make of the situation with Trusted Types (and soon the Sanitizer API). I guess there's these four classes:

  1. Elements and event handler content attributes defined for them
  2. Elements and event handler content attributes not defined for them (a couple are only defined for the body or media elements)
  3. Elements and event handler content attributes that don't exist, but the event handler attribute does exist somewhere
  4. Elements and event handler content attributes that don't exist, and there's no event handler attribute either

It seems that we're currently leaning towards treating 1 and 2 as something we need to apply policy toward and 3 and 4 as cases we can ignore.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be really specific here, I believe 1 and 2 are consistent across browsers as being protected, 3 is something this test prohibits but implementations actually do protect against[1]. 4. is something that all browsers agree aren't protected.

[1] I'm not familiar with Firefox's implementation here but it seems to protect onreadystatechange for example.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding 3, Firefox protects "onreadystatechange" but not "onopen", so that's probably an implementation bug.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fred-wang Did you / Can you please file a bug to make sure this isn't lost?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mozfreddyb Sure I opened https://bugzilla.mozilla.org/show_bug.cgi?id=1944504 for that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding 2, one simple refinement could be to not do the event handler check if the element is not in the HTML, SVG or MathML namespace: w3c/trusted-types#520

@fred-wang fred-wang merged commit 6fa87d2 into master Jan 28, 2025
18 checks passed
@fred-wang fred-wang deleted the tt-set-event-handle-content-attribute branch January 28, 2025 06:58
@mbrodesser-Igalia mbrodesser-Igalia mentioned this pull request Jan 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mozfreddyb mozfreddyb mozfreddyb left review comments

@annevk annevk annevk approved these changes

@lukewarlow lukewarlow Awaiting requested review from lukewarlow

@mikewest mikewest Awaiting requested review from mikewest

Assignees

@mikewest mikewest

Labels
trusted-types wg-s_webappsec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add test for event handler content attribute handling for false positive event handler attributes
6 participants
@fred-wang @annevk @mozfreddyb @lukewarlow @mikewest @wpt-pr-bot