[wpt-sync] Sync PR 31038 - [Trusted Types] Ensure execCommand('insertHTML') is TT-safe.
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
Tracking | Status | |
---|---|---|
firefox95 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 31038 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/31038
Details from upstream follow.
Daniel Vogelheim <vogelheim@chromium.org> wrote:
[Trusted Types] Ensure execCommand('insertHTML') is TT-safe.
Trusted Types protects against XSS by providing a configurable boundary
for HTML insertion into the DOM. execCommand with the "insertHTML" command
works around these. This introduces Trusted Types check for
execCommand("insertHTML") that are the exact equivalent of element.innerHTML.Tests ensure that - if TT is not enabled - execCommand will work as before.
Tests also ensure that - if TT is enabled - execCommand with "insertHTML"
will obey TT policies and the default policy, while other sub-commands will
continue to work as before.Bug: 1230567
Change-Id: Iaa50b01bec4061f53b6d66b0b21f63527f2b71a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3048161
Reviewed-by: Mike West \<mkwst@chromium.org>
Reviewed-by: Xiaocheng Hu \<xiaochengh@chromium.org>
Reviewed-by: Yoshifumi Inoue \<yosin@chromium.org>
Commit-Queue: Daniel Vogelheim \<vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#927214}
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 1•3 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=a48fa9a1dfa3a0488c2acdf88018ac06a5cc6a61
Assignee | ||
Comment 2•3 years ago
|
||
CI Results
Ran 11 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 2 tests and 6 subtests
Status Summary
Firefox
OK : 1
PASS : 2
ERROR: 1
Chrome
OK : 2
PASS : 7
FAIL : 1
Safari
OK : 1
PASS : 2
ERROR: 1
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/trusted-types/Document-execCommand.tentative.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview
, Gecko-android-em-7.0-x86_64-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-qr-opt-geckoview
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-linux1804-64-tsan-qr-opt
, Gecko-windows10-32-2004-qr-debug
, Gecko-windows10-32-2004-qr-opt
, Gecko-windows10-64-2004-qr-debug
, Gecko-windows10-64-2004-qr-opt
] (Chrome: OK, Safari: OK)
/trusted-types/block-Document-execCommand.tentative.html: ERROR [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview
, Gecko-android-em-7.0-x86_64-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-qr-opt-geckoview
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-linux1804-64-tsan-qr-opt
, Gecko-windows10-32-2004-qr-debug
, Gecko-windows10-32-2004-qr-opt
, Gecko-windows10-64-2004-qr-debug
, Gecko-windows10-64-2004-qr-opt
] (Chrome: OK, Safari: ERROR)
Tests Disabled in Gecko Infrastructure
/trusted-types/Document-execCommand.tentative.html: OK [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview
, Gecko-android-em-7.0-x86_64-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-qr-opt-geckoview
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-linux1804-64-tsan-qr-opt
, Gecko-windows10-32-2004-qr-debug
, Gecko-windows10-32-2004-qr-opt
, Gecko-windows10-64-2004-qr-debug
, Gecko-windows10-64-2004-qr-opt
] (Chrome: OK, Safari: OK)
/trusted-types/block-Document-execCommand.tentative.html: ERROR [GitHub
], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview
, Gecko-android-em-7.0-x86_64-qr-debug-geckoview
, Gecko-android-em-7.0-x86_64-qr-opt-geckoview
, Gecko-linux1804-64-qr-debug
, Gecko-linux1804-64-qr-opt
, Gecko-linux1804-64-tsan-qr-opt
, Gecko-windows10-32-2004-qr-debug
, Gecko-windows10-32-2004-qr-opt
, Gecko-windows10-64-2004-qr-debug
, Gecko-windows10-64-2004-qr-opt
] (Chrome: OK, Safari: ERROR)
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4708252b55fc [wpt PR 31038] - [Trusted Types] Ensure execCommand('insertHTML') is TT-safe., a=testonly
Comment 4•3 years ago
|
||
bugherder |
Description
•