Closed Bug 1968383 Opened 11 months ago Closed 11 months ago

Trusted Type: Improve WPT test coverage for script enforcements

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox141 --- fixed

People

(Reporter: fwang, Assigned: fwang)

References

Details

Attachments

(3 files)

Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug
48 bytes, text/x-phabricator-request
Details | Review
Bug 1968383 Add CSP violation report tests for trusted types script enforcement. r=smaug
48 bytes, text/x-phabricator-request
Details | Review
No description provided.

I just uploaded more tests for script enforcement: https://phabricator.services.mozilla.com/D251094

  • WebKit passes all of them except the ones for Node.moveBefore() (not implemented yet)
  • Chromium passes all the tests, except the ones were it currently implements Trusted checks not defined in the spec (Node.prepend() etc)

This should cover many cases detected in the WIP patch for bug 1928932.

Attachment #9490556 - Attachment description: Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug → WIP: Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug
Attachment #9490556 - Attachment description: WIP: Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug → Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug
Attachment #9490556 - Attachment description: Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug → WIP: Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug
Attachment #9490556 - Attachment description: WIP: Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug → Bug 1968383 - Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug

This verifies that the source text transformed by the default policy is used
for various steps of "prepare the script element":

https://html.spec.whatwg.org/#prepare-the-script-element
PR https://github.com/w3c/trusted-types/pull/579

Attachment #9491138 - Attachment description: WIP: Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug → Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug
Attachment #9491138 - Attachment description: Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug → WIP: Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug
Attachment #9491138 - Attachment description: WIP: Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug → Bug 1968383 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug

This verifies sink mismatch violation report for script enforcement
rules. When a default policy is specified, this is reported as a
script-src-elem violation and the script's text source is actually
not reported to the user.

Pushed by fwang@igalia.com: https://github.com/mozilla-firefox/firefox/commit/1b64fcb3375e https://hg.mozilla.org/integration/autoland/rev/5966d24c9bcd Add more Trusted Type tests for HTML/SVG script enforcements. r=smaug https://github.com/mozilla-firefox/firefox/commit/fa24f94cae55 https://hg.mozilla.org/integration/autoland/rev/b40ba3e6cd66 Add more Trusted Types enforcement tests testing a source text transformed by the default policy. r=smaug https://github.com/mozilla-firefox/firefox/commit/73060e373402 https://hg.mozilla.org/integration/autoland/rev/06d9162cd877 Add CSP violation report tests for trusted types script enforcement. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/52885 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/5966d24c9bcd
https://hg.mozilla.org/mozilla-central/rev/b40ba3e6cd66
https://hg.mozilla.org/mozilla-central/rev/06d9162cd877

Status: NEW → RESOLVED
Closed: 11 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
Upstream PR was closed without merging
Upstream PR was closed without merging
Upstream PR merged by moz-wptsync-bot
QA Whiteboard: [qa-triage-done-c142/b141]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: