testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.html

   1 <!DOCTYPE html>
   2 <html>
   3 <head>
   4   <script src="/resources/testharness.js"></script>
   5   <script src="/resources/testharnessreport.js"></script>
   6   <script src="support/helper.sub.js"></script>
   7
   8   <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
   9 </head>
  10 <body>
  11 <script>
  12     test(t => {
  13       assert_element_accepts_trusted_html_set_ns(window, '0', t, 'a', 'b', RESULTS.HTML);
  14     }, "Element.setAttributeNS assigned via policy (successful HTML transformation)");
  15
  16     test(t => {
  17       assert_element_accepts_trusted_script_set_ns(window, '1', t, 'a', 'b', RESULTS.SCRIPT);
  18     }, "Element.setAttributeNS assigned via policy (successful Script transformation)");
  19
  20     test(t => {
  21       assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL);
  22     }, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)");
  23
  24     // Unknown attributes should not be TT checked:
  25     test(t => {
  26       assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string');
  27     }, "Element.setAttributeNS accepts untrusted string for non-specced accessor");
  28
  29     test(t => {
  30       assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null');
  31     }, "Element.setAttributeNS accepts null for non-specced accessor");
  32
  33     // Setup trusted values for use in subsequent tests.
  34     const script_url = createScriptURL_policy(window, '5').createScriptURL(INPUTS.ScriptURL);
  35     const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML);
  36     const script = createScript_policy(window, '7').createScript(INPUTS.Script);
  37
  38     const xlink = "http://www.w3.org/1999/xlink";
  39     const svg = "http://www.w3.org/2000/svg";
  40
  41     // svg:script xlink:href=... expects a TrustedScriptURL.
  42     // Assigning a TrustedScriptURL works.
  43     test(t => {
  44       let elem = document.createElementNS(svg, "script");
  45       elem.setAttributeNS(xlink, "href", script_url);
  46       assert_equals("" + RESULTS.ScriptURL,
  47                     elem.getAttributeNodeNS(xlink, "href").value);
  48     }, "Assigning TrustedScriptURL to <svg:script xlink:href=...> works");
  49
  50     // Assigning things that ought to not work.
  51     test(t => {
  52       let elem = document.createElementNS(svg, "script");
  53       const values = [ "abc", null, html, script ];
  54       for (const v of values) {
  55         assert_throws_js(TypeError, _ => {
  56           elem.setAttributeNS(xlink, "href", v);
  57         });
  58       }
  59     }, "Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works");
  60 </script>