web-platform-tests · fred-wang · Jan 24, 2025 · Jan 24, 2025
diff --git a/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html b/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-none.html
@@ -4,7 +4,7 @@
 <script src="support/helper.sub.js"></script>
 <script src="./support/csp-violations.js"></script>
 <meta http-equiv="Content-Security-Policy" content="trusted-types 'none'">
-<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 <body>
 <script>
   promise_test(async t => {

diff --git a/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html b/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.html
@@ -5,7 +5,7 @@
 <script src="./support/csp-violations.js"></script>
 
 <meta http-equiv="Content-Security-Policy" content="trusted-types SomeName JustOneMoreName AnotherName">
-<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 <body>
 <script>
   // Allowed name test

diff --git a/trusted-types/require-trusted-types-for-report-only.html.headers b/trusted-types/require-trusted-types-for-report-only.html.headers
@@ -1,2 +1,2 @@
 Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
diff --git a/trusted-types/require-trusted-types-for.html b/trusted-types/require-trusted-types-for.html
@@ -4,7 +4,7 @@
   <script src="/resources/testharnessreport.js"></script>
   <script src="./support/csp-violations.js"></script>
   <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
-  <meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+  <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">
 </head>
 <body>
 <script>

diff --git a/trusted-types/support/csp-violations.js b/trusted-types/support/csp-violations.js
@@ -17,15 +17,15 @@ function trusted_type_violations_and_exception_for(fn) {
     let handler = e => {
       if (cspDirectives.includes(e.effectiveDirective)) {
         result.violations.push(e);
-      } else if (e.effectiveDirective === "object-src") {
-        document.removeEventListener("securitypolicyviolation", handler);
+      } else if (e.effectiveDirective === "connect-src") {
+        self.removeEventListener("securitypolicyviolation", handler);
         e.stopPropagation();
         resolve(result);
       } else {
         reject(`Unexpected violation for directive ${e.effectiveDirective}`);
       }
     }
-    document.addEventListener("securitypolicyviolation", handler);
+    self.addEventListener("securitypolicyviolation", handler);
 
     // Run the specified function and record any exception.
     try {
@@ -34,13 +34,10 @@ function trusted_type_violations_and_exception_for(fn) {
       result.exception = e;
     }
 
-    // Force an "object-src" violation, to make sure all the previous violations
+    // Force a "connect-src" violation, to make sure all the previous violations
     // have been delivered. This assumes the test file's associated .headers
-    // file contains Content-Security-Policy: object-src 'none'.
-    var o = document.createElement('object');
-    o.type = "video/mp4";
-    o.data = "dummy.webm";
-    document.body.appendChild(o);
+    // file contains Content-Security-Policy: connect-src 'none'.
+    new EventSource("/common/blank.html");
   });
 }
 

diff --git a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html
@@ -11,13 +11,13 @@
   // headers are set in the .headers file:
   //
   //   Content-Security-Policy: script-src 'unsafe-inline'; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy: require-trusted-types-for 'script'
   //
   // The second rule is there so we can provoke a CSP violation report at will.
   // The intent is that in order to test that a violation has *not* been thrown
   // (and without resorting to abominations like timeouts), we force a *another*
-  // CSP violation (by violating the object-src rule) and when that event is
+  // CSP violation (by violating the connect-src rule) and when that event is
   // processed we can we sure that an earlier event - if it indeed occurred -
   // must have already been processed.
 

diff --git a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html.headers
@@ -1,3 +1,3 @@
 Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy: require-trusted-types-for 'script'
diff --git a/trusted-types/trusted-types-eval-reporting-report-only.html b/trusted-types/trusted-types-eval-reporting-report-only.html
@@ -11,7 +11,7 @@
   // headers are set in the .headers file:
   //
   //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
   //
   // The last rule is there so we can provoke a CSP violation report at will.

diff --git a/trusted-types/trusted-types-eval-reporting-report-only.html.headers b/trusted-types/trusted-types-eval-reporting-report-only.html.headers
@@ -1,4 +1,4 @@
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
 
diff --git a/trusted-types/trusted-types-eval-reporting.html b/trusted-types/trusted-types-eval-reporting.html
@@ -11,7 +11,7 @@
   // headers are set in the .headers file:
   //
   //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
-  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: connect-src 'none'
   //   Content-Security-Policy: require-trusted-types-for 'script'
   //
   // The last rule is there so we can provoke a CSP violation report at will.

diff --git a/trusted-types/trusted-types-eval-reporting.html.headers b/trusted-types/trusted-types-eval-reporting.html.headers
@@ -1,4 +1,4 @@
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
 Content-Security-Policy: require-trusted-types-for 'script'
 
diff --git a/trusted-types/trusted-types-report-only.html.headers b/trusted-types/trusted-types-report-only.html.headers
@@ -1,2 +1,2 @@
 Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php; require-trusted-types-for 'script';
-Content-Security-Policy: object-src 'none'
+Content-Security-Policy: connect-src 'none'
diff --git a/trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html b/trusted-types/trusted-types-reporting-for-DOMParser-parseFromString.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+	(new DOMParser()).parseFromString(policy.createHTML(input), "text/html")
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+	(new DOMParser()).parseFromString(input, "text/html")
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `DOMParser parseFromString|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Document-execCommand.html b/trusted-types/trusted-types-reporting-for-Document-execCommand.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ => {
+        ["insertHTML", "paste"].forEach(command => {
+          document.execCommand(command, false, policy.createHTML(input));
+        });
+      });
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.execCommand("paste", false, input)
+      );
+    }, "No violation reported (paste command).");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.execCommand("insertHTML", false, input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Document execCommand|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string (insertHTML command).");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html b/trusted-types/trusted-types-reporting-for-Document-parseHTMLUnsafe.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        Document.parseHTMLUnsafe(policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        Document.parseHTMLUnsafe(input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Document parseHTMLUnsafe|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Document-write.html b/trusted-types/trusted-types-reporting-for-Document-write.html
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <div id="log"></div>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = [`<p>${'A'.repeat(50)}</p>`,
+                   `<p>${'B'.repeat(30)}</p>`,
+                   `<p>${'C'.repeat(20)}</p>`];
+    const joinedInput = input.join('');
+    const trustedInput = input.map(x => policy.createHTML(input));
+
+    // Create a separate document for testing, so write calls don't mess up with
+    // how testharness writes its output in the main document.
+    const doc = (new DOMParser()).
+          parseFromString(policy.createHTML("<body></body>"), "text/html");
+
+    ["write", "writeln"].forEach(methodName => {
+      promise_test(async t => {
+        await no_trusted_type_violation_for(_ =>
+          doc[methodName](...trustedInput)
+        );
+      }, `No violation reported for ${methodName}() with TrustedHTML arguments.`);
+
+      promise_test(async t => {
+        let violation = await trusted_type_violation_for(TypeError, _ =>
+          doc[methodName](trustedInput[0], input[1], trustedInput[2])
+        );
+        assert_equals(violation.blockedURI, "trusted-types-sink");
+        assert_equals(violation.sample, `Document ${methodName}|${clipSampleIfNeeded(joinedInput)}`);
+      }, `Violation report for plain string for ${methodName}() with at least one plain string argument.`);
+    });
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-innerHTML.html b/trusted-types/trusted-types-reporting-for-Element-innerHTML.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").innerHTML = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").innerHTML = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element innerHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html b/trusted-types/trusted-types-reporting-for-Element-insertAdjacentHTML.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").
+	  insertAdjacentHTML("beforeend", policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").insertAdjacentHTML("beforeend", input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element insertAdjacentHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-outerHTML.html b/trusted-types/trusted-types-reporting-for-Element-outerHTML.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").outerHTML = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").outerHTML = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element outerHTML|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html b/trusted-types/trusted-types-reporting-for-Element-setHTMLUnsafe.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("div").setHTMLUnsafe(policy.createHTML(input))
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("div").setHTMLUnsafe(input)
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `Element setHTMLUnsafe|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>
diff --git a/trusted-types/trusted-types-reporting-for-HTMLIFrameElement-srcdoc.html b/trusted-types/trusted-types-reporting-for-HTMLIFrameElement-srcdoc.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/csp-violations.js"></script>
+<meta http-equiv="Content-Security-Policy"
+      content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+  <script>
+    const policy = trustedTypes.createPolicy("dummy", { createHTML: x => x });
+    const input = `<p>${'A'.repeat(100)}</p>`;
+
+    promise_test(async t => {
+      await no_trusted_type_violation_for(_ =>
+        document.createElement("iframe").srcdoc = policy.createHTML(input)
+      );
+    }, "No violation reported for TrustedHTML.");
+
+    promise_test(async t => {
+      let violation = await trusted_type_violation_for(TypeError, _ =>
+        document.createElement("iframe").srcdoc = input
+      );
+      assert_equals(violation.blockedURI, "trusted-types-sink");
+      assert_equals(violation.sample, `HTMLIFrameElement srcdoc|${clipSampleIfNeeded(input)}`);
+    }, "Violation report for plain string.");
+  </script>
+</body>