Improve test coverage of sink values #494

lukewarlow · 2024-03-28T11:32:16Z

We should ensure that we have exhaustive coverage of the "sink" value, this is the prefix for violation object samples, aswell as being one of the arguments for the default policy.

lukewarlow · 2024-03-28T11:32:59Z

Example change web-platform-tests/wpt#45058

One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1907849 gecko-commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b gecko-reviewers: smaug

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363

One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1907849 gecko-commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8 gecko-reviewers: smaug

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363

One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1907849 gecko-commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8 gecko-reviewers: smaug

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 UltraBlame original commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 UltraBlame original commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 UltraBlame original commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 UltraBlame original commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 UltraBlame original commit: cb3e58c8b7ff8d78bfab512fae053cc7de5d787b

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363 UltraBlame original commit: c006cb26e155686ac4c27d2a0797ff2ce03e39a8

…eHTMLUnsafe". r=smaug One step towards fixing w3c/trusted-types#494. Differential Revision: https://phabricator.services.mozilla.com/D232363

fred-wang · 2025-01-03T07:46:01Z

Trusted Types spec:
https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts

HTML spec:
https://html.spec.whatwg.org/multipage/infrastructure.html#tt-trustedhtml
https://html.spec.whatwg.org/multipage/infrastructure.html#tt-trustedscript
https://html.spec.whatwg.org/multipage/infrastructure.html#tt-trustedscripturl

DOM spec:
whatwg/dom#1268

CSP spec:
https://w3c.github.io/webappsec-csp/#can-compile-strings

SVG spec (merged PR don't seem to show up on https://svgwg.org/svg2-draft):
w3c/svgwg#934

Service Workers spec:
https://w3c.github.io/ServiceWorker/#ref-for-dom-serviceworkercontainer-register

execCommand draft:
https://w3c.github.io/editing/docs/execCommand/#methods-to-query-and-execute-commands

Blink IDL: https://source.chromium.org/search?q=(TrustedHTML%20OR%20TrustedScript%20OR%20TrustedScriptURL%20OR%20TrustedType)%20AND%20filepath:third_party%2Fblink%2Frenderer%2Fcore%20AND%20file:idl&start=1

WebKit IDL: https://searchfox.org/wubkat/search?q=TrustedHTML%7CTrustedScriptURL%7CTrustedScript%7CTrustedType&path=.idl%24&case=false&regexp=true

Gecko IDL: https://searchfox.org/mozilla-central/search?q=TrustedHTML%7CTrustedScriptURL%7CTrustedScript%7CTrustedType&path=.webidl%24&case=false&regexp=true

Note that checking the IDL does not give the complete list of sinks, for example eval and function constructors ends up using https://w3c.github.io/webappsec-csp/#can-compile-strings

fred-wang · 2025-01-06T09:57:28Z

Trusted Types spec:

HTMLScriptElement's innerText (TrustedScript)
HTMLScriptElement's textContent (TrustedScript)
HTMLScriptElement's src (TrustedScriptURL)
HTMLScriptElement's text (TrustedScript)

HTML spec:

Document's write() (TrustedHTML)
Document's writeln() (TrustedHTML)
Document's parseHTMLUnsafe() (TrustedHTML)
HTMLIFrameElement's srcdoc (TrustedHTML)
Document's setHTMLUnsafe()̀ (TrustedHTML`)
Element's innerHTML (TrustedHTML)
Element's outerHTML (TrustedHTML)
Element's insertAdjacentHTML() (TrustedHTML)
ShadowRoot's setHTMLUnsafe() (TrustedHTML)
ShadowRoot's innerHTML (TrustedHTML)
DOMParser's parseFromString()̀ (TrustedHTML`)
Range's createContextualFragment() (TrustedHTML)
eval() (TrustedScript)
WindowOrWorkerGlobalScope's setTimeout() (TrustedScript)
WindowOrWorkerGlobalScope's setInterval() (TrustedScript)
WorkerGlobalScope's importScripts() (TrustedScriptURL)
Worker's constructor (TrustedScriptURL)
SharedWorker's constructor (TrustedScriptURL)

DOM spec:

Element's setAttribute() (TrustedType)
Element's setAttributeNS() (TrustedType)

CSP spec:

eval() (TrustedScript)
function constructor (TrustedScript)

SVG spec:

SVGAnimatedString's baseVal (TrustedScriptURL) -- this seems essentially used for SVGScriptElement's href, but the spec status is a bit fuzzy.
Luke mentioned SVGScriptElement should have similar script enforcement as HTML, but details are not specced yet. See SVGScriptElement needs TT protection too #483

Service Workers spec:

ServiceWorkerContainer's register() (TrustedScriptURL)

execCommand draft:

Document's execCommand() (TrustedHTML)

lukewarlow · 2025-01-06T10:07:15Z

There's also SVGScriptElement which needs handling it's just not specced yet

fred-wang · 2025-01-06T10:10:19Z

@lukewarlow yes I noticed that. It seems some PRs have been merged but are still not public. will follow-up with you privately

fred-wang · 2025-01-06T11:06:35Z

#494 (comment) should now be an up-to-date list of existing sinks. Still need to check whether we cover everything. The state of the SVG spec is still not great, but essentially we would make SVGScriptElement behave similarly to HTMLScriptElement.

Everything that is implemented in Gecko or WebKit is covered by one of the spec at #494 (comment) but Chromium still seems to implement legacy stuff (probably we should write some tests to verify these are not valid sinks):

https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/dom/child_node_part.idl?q=(TrustedHTML%20OR%20TrustedScript%20OR%20TrustedScriptURL%20OR%20TrustedType)%20AND%20filepath:third_party%2Fblink%2Frenderer%2Fcore%20AND%20file:idl&start=11
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/dom/parent_node.idl?q=(TrustedHTML%20OR%20TrustedScript%20OR%20TrustedScriptURL%20OR%20TrustedType)%20AND%20filepath:third_party%2Fblink%2Frenderer%2Fcore%20AND%20file:idl&start=11
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/dom/child_node.idl?q=(TrustedHTML%20OR%20TrustedScript%20OR%20TrustedScriptURL%20OR%20TrustedType)%20AND%20filepath:third_party%2Fblink%2Frenderer%2Fcore%20AND%20file:idl&start=11

This verifies some API for ParentNode/ChildNode [1] [2] don't do any check for trusted types. This might already be covered by IDL tests but we just perform a direct verification here. This test fails in Chromium, which is not aligned with the DOM spec here [3] and performs specific checks for HTML script elements. Chromium also implements similar behavior for `ChildNodePart.replaceChildren()` but that's currently not shipped [4]. [1] https://dom.spec.whatwg.org/#interface-parentnode [2] https://dom.spec.whatwg.org/#interface-childnode [3] w3c/trusted-types#494 (comment) [4] https://groups.google.com/a/chromium.org/g/blink-dev/c/wIADRnljZDA/m/whzEaaAADAAJ

…49920) This verifies some API for ParentNode/ChildNode [1] [2] don't do any check for trusted types. This might already be covered by IDL tests but we just perform a direct verification here. This test fails in Chromium, which is not aligned with the DOM spec here [3] and performs specific checks for HTML script elements. Chromium also implements similar behavior for `ChildNodePart.replaceChildren()` but that's currently not shipped [4]. [1] https://dom.spec.whatwg.org/#interface-parentnode [2] https://dom.spec.whatwg.org/#interface-childnode [3] w3c/trusted-types#494 (comment) [4] https://groups.google.com/a/chromium.org/g/blink-dev/c/wIADRnljZDA/m/whzEaaAADAAJ

lukewarlow added this to the v1 milestone Mar 28, 2024

lukewarlow mentioned this issue Mar 28, 2024

Update IDL for script enforcement #484

Merged

moz-wptsync-bot mentioned this issue Dec 30, 2024

[Gecko Bug 1907849] part 9) Extend WPT to check sink value of "Document parseHTMLUnsafe". web-platform-tests/wpt#49859

Merged

fred-wang mentioned this issue Jan 6, 2025

Add test to verify legacy sinks for TrustedScript are not supported web-platform-tests/wpt#49920

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve test coverage of sink values #494

Improve test coverage of sink values #494

lukewarlow commented Mar 28, 2024

lukewarlow commented Mar 28, 2024

fred-wang commented Jan 3, 2025 •

edited

Loading

fred-wang commented Jan 6, 2025 •

edited

Loading

lukewarlow commented Jan 6, 2025

fred-wang commented Jan 6, 2025

fred-wang commented Jan 6, 2025

Improve test coverage of sink values #494

Improve test coverage of sink values #494

Comments

lukewarlow commented Mar 28, 2024

lukewarlow commented Mar 28, 2024

fred-wang commented Jan 3, 2025 • edited Loading

fred-wang commented Jan 6, 2025 • edited Loading

lukewarlow commented Jan 6, 2025

fred-wang commented Jan 6, 2025

fred-wang commented Jan 6, 2025

fred-wang commented Jan 3, 2025 •

edited

Loading

fred-wang commented Jan 6, 2025 •

edited

Loading