Skip to content

Commit

Permalink
Add test to verify legacy sinks for TrustedScript are not supported (#…
Browse files Browse the repository at this point in the history
…49920)

This verifies some API for ParentNode/ChildNode [1] [2] don't do any
check for trusted types. This might already be covered by IDL tests but
we just perform a direct verification here. This test fails in Chromium,
which is not aligned with the DOM spec here [3] and performs specific
checks for HTML script elements. Chromium also implements similar
behavior for `ChildNodePart.replaceChildren()` but that's currently not
shipped [4].

[1] https://dom.spec.whatwg.org/#interface-parentnode
[2] https://dom.spec.whatwg.org/#interface-childnode
[3] w3c/trusted-types#494 (comment)
[4] https://groups.google.com/a/chromium.org/g/blink-dev/c/wIADRnljZDA/m/whzEaaAADAAJ
  • Loading branch information
fred-wang authored Jan 6, 2025
1 parent 3ed9cf9 commit dc4c466
Showing 1 changed file with 32 additions and 0 deletions.
32 changes: 32 additions & 0 deletions trusted-types/legacy-trusted-scripts.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
<div id="log"></div>
<script id="prependScript">;</script>
<script id="appendScript">;</script>
<script id="replaceChildrenScript">;</script>
<script id="beforeScript">;</script>
<script id="afterScript">;</script>
<script id="replaceWithScript">;</script>
<script>
test(t => {
prependScript.prepend("1", "2", "3");
assert_equals(prependScript.textContent, "123;");

appendScript.append("1", "2", "3");
assert_equals(appendScript.textContent, ";123");

replaceChildrenScript.replaceChildren("1", "2", "3");
assert_equals(replaceChildrenScript.textContent, "123");

beforeScript.firstChild.before("1", "2", "3");
assert_equals(beforeScript.textContent, "123;");

afterScript.firstChild.after("1", "2", "3");
assert_equals(afterScript.textContent, ";123");

replaceWithScript.firstChild.replaceWith("1", "2", "3");
assert_equals(replaceWithScript.textContent, "123");
}, "Legacy sinks for TrustedScript accept arbitrary strings.");
</script>

0 comments on commit dc4c466

Please sign in to comment.