Closed Bug 1733637 Opened 3 years ago Closed 3 years ago

[wpt-sync] Sync PR 31038 - [Trusted Types] Ensure execCommand('insertHTML') is TT-safe.

Categories

(Core :: DOM: Security, task, P4)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox95 --- fixed

People

(Reporter: mozilla.org, Unassigned)

References

(
URL
)

Details

(Whiteboard: [wptsync downstream])

Sync web-platform-tests PR 31038 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/31038
Details from upstream follow.

Daniel Vogelheim <vogelheim@chromium.org> wrote:

[Trusted Types] Ensure execCommand('insertHTML') is TT-safe.

Trusted Types protects against XSS by providing a configurable boundary
for HTML insertion into the DOM. execCommand with the "insertHTML" command
works around these. This introduces Trusted Types check for
execCommand("insertHTML") that are the exact equivalent of element.innerHTML.

Tests ensure that - if TT is not enabled - execCommand will work as before.
Tests also ensure that - if TT is enabled - execCommand with "insertHTML"
will obey TT policies and the default policy, while other sub-commands will
continue to work as before.

Bug: 1230567
Change-Id: Iaa50b01bec4061f53b6d66b0b21f63527f2b71a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3048161
Reviewed-by: Mike West \<mkwst@chromium.org>
Reviewed-by: Xiaocheng Hu \<xiaochengh@chromium.org>
Reviewed-by: Yoshifumi Inoue \<yosin@chromium.org>
Commit-Queue: Daniel Vogelheim \<vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#927214}

Component: web-platform-tests → DOM: Security
Product: Testing → Core

CI Results

Ran 11 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI

Total 2 tests and 6 subtests

Status Summary

Firefox

OK : 1
PASS : 2
ERROR: 1

Chrome

OK : 2
PASS : 7
FAIL : 1

Safari

OK : 1
PASS : 2
ERROR: 1

Links

Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base

Details

New Tests That Don't Pass

/trusted-types/Document-execCommand.tentative.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] (Chrome: OK, Safari: OK)
/trusted-types/block-Document-execCommand.tentative.html: ERROR [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] (Chrome: OK, Safari: ERROR)

Tests Disabled in Gecko Infrastructure

/trusted-types/Document-execCommand.tentative.html: OK [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] (Chrome: OK, Safari: OK)
/trusted-types/block-Document-execCommand.tentative.html: ERROR [GitHub], SKIP [Gecko-android-em-7.0-x86_64-lite-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-lite-qr-opt-geckoview, Gecko-android-em-7.0-x86_64-qr-debug-geckoview, Gecko-android-em-7.0-x86_64-qr-opt-geckoview, Gecko-linux1804-64-qr-debug, Gecko-linux1804-64-qr-opt, Gecko-linux1804-64-tsan-qr-opt, Gecko-windows10-32-2004-qr-debug, Gecko-windows10-32-2004-qr-opt, Gecko-windows10-64-2004-qr-debug, Gecko-windows10-64-2004-qr-opt] (Chrome: OK, Safari: ERROR)

Pushed by wptsync@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4708252b55fc
[wpt PR 31038] - [Trusted Types] Ensure execCommand('insertHTML') is TT-safe., a=testonly

https://hg.mozilla.org/mozilla-central/rev/4708252b55fc

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox95: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.