From 8e5944df3d3427cfd9ffdf2da8e0fc99b4fc3255 Mon Sep 17 00:00:00 2001 From: Luke Warlow Date: Wed, 12 Jun 2024 14:08:43 +0200 Subject: [PATCH] Switch trusted types sinks to use union type This replaces usages of HTMLString and ScriptURLString with their equivalent union types. The relevant algorithms are also updated to do the TT enforcement. --- source | 192 ++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 155 insertions(+), 37 deletions(-) diff --git a/source b/source index a0bb77d2094..4bfd12055a5 100644 --- a/source +++ b/source @@ -3220,6 +3220,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  • The change, append, remove, replace, get an attribute by namespace and local name, set value, and remove an attribute by namespace and local name algorithms for attributes
  • The attribute change steps hook for attributes
  • The value concept for attributes
    • +
  • The local name concept for attributes
  • The attribute list concept
  • The data of a CharacterData node and its replace data algorithm
    • @@ -4609,11 +4610,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute TRUSTED-TYPES

    @@ -10672,7 +10672,7 @@ typedef (HTMLScriptElement or SVGScriptElement) LegacyOverrideBuiltIns] partial interface Document { - static Document parseHTMLUnsafe(HTMLString html); + static Document parseHTMLUnsafe((TrustedHTML or DOMString) html); // resource metadata management [PutForwards=href, LegacyUnforgeable] readonly attribute Location? location; @@ -33081,7 +33081,7 @@ interface HTMLIFrameElement : HTMLElement { [HTMLConstructor] constructor(); [CEReactions] attribute USVString src; - [CEReactions] attribute HTMLString srcdoc; + [CEReactions] attribute (TrustedHTML or DOMString) srcdoc; [CEReactions] attribute DOMString name; [SameObject, PutForwards=value] readonly attribute DOMTokenList sandbox; [CEReactions] attribute DOMString allow; @@ -33859,11 +33859,41 @@ interface HTMLIFrameElement : HTMLElement {

    The IDL attributes src, srcdoc, name, sandbox, and allow must reflect the respective content - attributes of the same name.

    + data-x="dom-iframe-sandbox">sandbox    , and allow must + reflect the respective content attributes of the same name.

    + +

    The srcdoc getter steps are:

    + +
      +

    1. Let attribute be the result of running get an attribute by namespace and local + name given null, srcdoc's local name, and this.

      2. + +

    2. If attribute is null, then return the empty string.

      3. + +

    3. Return attribute's value.

      4. +
    + +

    The srcdoc setter steps + are:

    + +
      +

    1. Let compliantString to the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global + object, the given value, "HTMLIFrameElement srcdoc", and "script".

      2. + +

    2. Set an attribute value given + this, srcdoc's local name, and + compliantString.

      3. +

    The supported tokens for sandbox's DOMTokenList are the allowed @@ -112543,7 +112573,7 @@ document.body.appendChild(frame)

    The document.write(...text) method steps are - to run the document write steps with this, text, false and + to run the document write steps with this, text, false, and "Document write".

    @@ -112574,7 +112604,7 @@ document.body.appendChild(frame)

    The document.writeln(...text) method steps are - to run the document write steps with this, text, true and + to run the document write steps with this, text, true, and "Document writeln".

    @@ -112583,19 +112613,19 @@ document.body.appendChild(frame)

    DOM parsing and serialization APIs

    partial interface Element {
-  [CEReactions] undefined setHTMLUnsafe(HTMLString html);
+  [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
   DOMString getHTML(optional GetHTMLOptions options = {});
 
-  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString innerHTML;
-  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString outerHTML;
-  [CEReactions] undefined insertAdjacentHTML(DOMString position, HTMLString string);
+  [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
+  [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) outerHTML;
+  [CEReactions] undefined insertAdjacentHTML(DOMString position, (TrustedHTML or DOMString) string);
 };
 
 partial interface ShadowRoot {
-  [CEReactions] undefined setHTMLUnsafe(HTMLString html);
+  [CEReactions] undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
   DOMString getHTML(optional GetHTMLOptions options = {});
 
-  [CEReactions] attribute [LegacyNullToEmptyString] HTMLString innerHTML;
+  [CEReactions] attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
 };
 
 dictionary GetHTMLOptions {
@@ -112646,7 +112676,7 @@ dictionary GetHTMLOptions {
 interface DOMParser {
   constructor();
 
-  [NewObject] Document parseFromString(HTMLString string, DOMParserSupportedType type);
+  [NewObject] Document parseFromString((TrustedHTML or DOMString) string, DOMParserSupportedType type);
 };
 
 enum DOMParserSupportedType {
@@ -112667,6 +112697,12 @@ enum DOMParserSupportedType {
   type) method steps are:
    
 
   
      
+   
    1. Let compliantString to the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+   object, string, "DOMParser parseFromString", and "script".
      2. 
+
    
    2. 
     
      Let document be a new Document, whose content type is type and DOMParserSupportedType {
 
     
      The document's encoding will
     be left as its default, of UTF-8. In particular, any XML declarations or
-    meta elements found while parsing string will have no effect.
      
+    meta elements found while parsing compliantString will have no effect.
      
    
      3. 
 
    
    3. 
@@ -112692,7 +112728,7 @@ enum DOMParserSupportedType {
      
      
       
        
        
      1. Parse HTML from a string given document and
-       string.
        2. 
+       compliantString.
        
       
      
 
       
      Since document does not have a DOMParserSupportedType {
        
    4. Create an XML parser parse, associated with
        document, and with XML scripting support disabled.
      5. 
 
-       
    5. Parse string using parser.
      
+       
    6. Parse compliantString using parser.
      
 
        
    7. 
         
      If the previous step resulted in an XML well-formedness or XML namespace well-formedness
@@ -112803,17 +112839,33 @@ enum DOMParserSupportedType {
   are:
      
 
   
        
+   
      1. Let compliantHTML be the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+   object, html, "Element setHTMLUnsafe", and "script".
        2. 
+
    
      2. Let target be this's template contents if
    this is a template element; otherwise this.
        3. 
 
    
      3. Unsafely set HTML given target, this, and
-   html.
        4. 
+   compliantHTML.
        
   
      
 
   
      ShadowRoot's setHTMLUnsafe(html) method steps
-  are to unsafely set HTML given this, this's shadow host, and html.
      
+  are:
      
+
+  
        
+   
      1. Let compliantHTML be the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+   object, html, "ShadowRoot setHTMLUnsafe", and "script".
        2. 
+
+   
      2. Unsafely set HTML given this, this's shadow host, and compliantHTML.
        3. 
+  
      
 
   
      To unsafely set HTML, given an Element or DocumentFragment
   target, an Element contextElement, and a string
@@ -112839,6 +112891,12 @@ enum DOMParserSupportedType {
   data-x="dom-parseHTMLUnsafe">parseHTMLUnsafe(html) method steps are:
      
 
   
        
+   
      1. Let compliantHTML to the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+   object, html, "Document parseHTMLUnsafe", and "script".
        2. 
+
    
      2. 
     
        Let document be a new Document, whose content type is "DOMParserSupportedType {
    true.
        3. 
 
    
      3. Parse HTML from a string given document and
-   html.
        4. 
+   compliantHTML.
        
 
    
      4. Return document.
        5. 
   
      
@@ -112995,10 +113053,16 @@ enum DOMParserSupportedType {
   are:
      
 
   
        
+    
      1. Let compliantString be the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+    object, the given value, "Element innerHTML", and "script".
        2. 
+
     
      2. Let context be this.
        3. 
 
     
      3. Let fragment be the result of invoking the fragment parsing algorithm
-    steps with context and the given value.
        4. 
+    steps with context and compliantString.
        
 
     
      4. 
      
        If context is a template element, then set context to
@@ -113018,11 +113082,17 @@ enum DOMParserSupportedType {
   steps are:
        
 
   
          
+    
        1. Let compliantString be the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+    object, the given value, "ShadowRoot innerHTML", and "script".
          2. 
+
     
        2. Let context be this's host.
          3. 
 
     
        3. Let fragment be the result of invoking the fragment parsing algorithm
-    steps with context and the given value.
          4. 
+    steps with context and compliantString.
          
 
     
        4. Replace all with fragment
     within this.
          5. 
@@ -113076,6 +113146,12 @@ enum DOMParserSupportedType {
   are:
          
 
   
            
+    
          1. Let compliantString be the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+    object, the given value, "Element outerHTML", and "script".
            2. 
+
     
          2. Let parent be this's parent.
            3. 
 
     
          3. If parent is null, return. There would be no way to obtain a
@@ -113089,7 +113165,7 @@ enum DOMParserSupportedType {
     node document, body, and the HTML namespace.
            4. 
 
     
          4. Let fragment be the result of invoking the fragment parsing algorithm
-    steps given parent and the given value.
            5. 
+    steps given parent and compliantString.
            
 
     
          5. Replace this with
     fragment within this's parent.
            6. 
@@ -113144,6 +113220,12 @@ enum DOMParserSupportedType {
   string)             method steps are:
            
 
   
              
+   
            1. Let compliantString be the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+   object, string, "Element insertAdjacentHTML", and "script".
              2. 
+
    
            2. Let context be null.
              3. 
 
    
            3. Use the first matching item from this list:
              
@@ -113187,7 +113269,7 @@ enum DOMParserSupportedType {
 
    
            4. 
     
              Let fragment be the result of invoking the fragment parsing algorithm
-    steps with context and string.
              
+    steps with context and compliantString.
              
    
              5. 
 
    
            5. Use the first matching item from this list:
@@ -113252,7 +113334,7 @@ enum DOMParserSupportedType {
   and attributes like script or event handler content attributes.
              
 
   
              partial interface Range {
-  [CEReactions, NewObject] DocumentFragment createContextualFragment(HTMLString string);
+  [CEReactions, NewObject] DocumentFragment createContextualFragment((TrustedHTML or DOMString) string);
 };
              
 
   
              
@@ -113262,6 +113344,12 @@ enum DOMParserSupportedType {
   method steps are:
              
 
   
                
+   
              1. Let compliantString be the result of invoking the Get
+   Trusted Type compliant string algorithm with TrustedHTML, this's relevant global
+   object, string, and "Range
+   createContextualFragment".
                2. 
+
    
              2. Let node be this's start
    node.
                3. 
 
@@ -113293,7 +113381,7 @@ enum DOMParserSupportedType {
    
 
    
              3. Let fragment node be the result of invoking the fragment parsing
-   algorithm steps with element and string.
                4. 
+   algorithm steps with element and compliantString.
                
 
    
              4. 
     
                For each script of fragment node's
@@ -118393,7 +118481,7 @@ interface WorkerGlobalScope : EventTarget {
   readonly attribute WorkerGlobalScope self;
   readonly attribute WorkerLocation location;
   readonly attribute WorkerNavigator navigator;
-  undefined importScripts(ScriptURLString... urls);
+  undefined importScripts((TrustedScriptURL or USVString)... urls);
 
   attribute OnErrorEventHandler onerror;
   attribute EventHandler onlanguagechange;
@@ -119248,7 +119336,7 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope
 
   
                [Exposed=(Window,DedicatedWorker,SharedWorker)]
 interface Worker : EventTarget {
-  constructor(ScriptURLString scriptURL, optional WorkerOptions options = {});
+  constructor((TrustedScriptURL or USVString) scriptURL, optional WorkerOptions options = {});
 
   undefined terminate();
 
@@ -119346,11 +119434,17 @@ enum WorkerType { "classic", "module" };
   steps:
                
 
   
                  
+   
                1. Let compliantScriptURL be the result of invoking the Get Trusted Type compliant string algorithm with TrustedScriptURL, this's relevant global
+   object, scriptURL, "Worker constructor", and "script".
                  2. 
+
    
                2. Let outside settings be the current settings object.
                  
 
    
                3. 
     
                  Let worker URL be the result of encoding-parsing a URL given
-    scriptURL, relative to outside settings.
                  
+    compliantScriptURL, relative to outside settings.
                  
 
     
                  Any same-origin URL (including blob: URLs) can be used. data:
@@ -119387,7 +119481,7 @@ enum WorkerType { "classic", "module" };
 
   
                  [Exposed=Window]
 interface SharedWorker : EventTarget {
-  constructor(ScriptURLString scriptURL, optional (DOMString or WorkerOptions) options = {});
+  constructor((TrustedScriptURL or USVString) scriptURL, optional (DOMString or WorkerOptions) options = {});
 
   readonly attribute MessagePort port;
 };
@@ -119436,6 +119530,12 @@ interface SharedWorker : EventTarget {
   constructor is invoked:
                  
 
   
                    
+   
                  1. Let compliantScriptURL be the result of invoking the Get Trusted Type compliant string algorithm with TrustedScriptURL, this's relevant global
+   object, scriptURL, "SharedWorker constructor", and
+   "script".
                    2. 
+
    
                  2. If options is a DOMString, set
    options to a new WorkerOptions dictionary whose name member is set to the value of options and whose other members
@@ -119445,7 +119545,7 @@ interface SharedWorker : EventTarget {
 
    
                  3. 
     
                    Let urlRecord be the result of encoding-parsing a URL given
-    scriptURL, relative to outside settings.
                    
+    compliantScriptURL, relative to outside settings.
                    
 
     
                    Any same-origin URL (including blob: URLs) can be used. data:
@@ -119629,8 +119729,26 @@ interface SharedWorker : EventTarget {
 
   
                    The importScripts(...urls)
-  method steps are to import scripts into worker global scope given this
-  and urls.
                    
+  method steps are:
                    
+
+  
                      
+   
                    1. Let urlStrings be « ».
                      2. 
+
+   
                    2. 
+    
                      For each url of urls:
                      
+
+    
                        
+     
                      1. Append the result of invoking the Get Trusted Type compliant string algorithm with TrustedScriptURL, this's relevant
+     global object, url, "Worker importScripts", and "script" to urlStrings.
                        2. 
+    
                      
+   
                      3. 
+
+   
                    3. Import scripts into worker global scope given this and
+   urlStrings.
                      4. 
+  
                    
 
   
                    To import scripts into worker global scope, given a
   WorkerGlobalScope object worker global scope, a list of