Bug 1657640 [wpt PR 24905] - [TrustedTypes] WPT test > check violation's sourceFile., a=testonly

Automatic update from web-platform-tests
[TrustedTypes] WPT test > check violation's sourceFile.

Check what is the reported sourceFile depending on the script's origin.
Currently, the full URL isn't exposed in the case of a cross-origin
script. This is an issue. See https://crbug.com/1113163

TODO: Add checks with redirects.

Bug: 1113163
Change-Id: I8bbd1234a485568127a21c6abfbd4d4a623494f2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2341125
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#795841}

--

wpt-commits: af3059a547d3843001ed2aa7537418f1c9850c92
wpt-pr: 24905

testing/web-platform/tests/trusted-types/support/set-inner-html.js

@@ -0,0 +1,3 @@
+function setInnerHtml(element, value) {
+  element.innerHTML = value;
+}

testing/web-platform/tests/trusted-types/trusted-types-source-file-path.tentative.html

@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<head>
+  <title>
+    Check the reported TrustedType violation's sourceFile.
+  </title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/common/get-host-info.sub.js"></script>
+  <meta http-equiv="Content-Security-Policy"
+        content="require-trusted-types-for 'script'; trusted-types id">
+  </head>
+<body>
+
+<script id="to-be-modified"></script>
+<script>
+let toBeModified = document.querySelector("#to-be-modified");
+
+let id_policy = trustedTypes.createPolicy("id", {
+  createHTML: x => x,
+  createScriptURL: x => x,
+  createScript: x => x,
+});
+
+function futureViolation() {
+  return new Promise(r => addEventListener("securitypolicyviolation", r), {
+    once: true
+  });
+}
+
+function futureScript(url) {
+  return new Promise(r => {
+    let script = document.createElement("script");
+    script.src = id_policy.createScriptURL(url);
+    script.onload = r;
+    document.body.appendChild(script);
+  });
+}
+
+promise_test(async t => {
+  let future_violation = futureViolation();
+  assert_throws_js(TypeError, () => {
+    document.getElementById("to-be-modified").innerHTML = "'test'";
+  });
+  let violation = await future_violation;
+  assert_equals(violation.sourceFile, location.href)
+}, "same-document script")
+
+promise_test(async t => {
+  let script_origin = get_host_info().HTTP_ORIGIN;
+  let script_src = script_origin +
+    "/trusted-types/support/set-inner-html.js";
+  let script = await futureScript(script_src);
+  let future_violation = futureViolation();
+  assert_throws_js(TypeError, () => setInnerHtml(toBeModified, "'test'"));
+  let violation = await future_violation;
+  assert_equals(violation.sourceFile, script_src);
+}, "same-origin script")
+
+promise_test(async t => {
+  let script_origin = get_host_info().HTTP_REMOTE_ORIGIN;
+  let script_src = script_origin +
+    "/trusted-types/support/set-inner-html.js";
+  let script = await futureScript(script_src);
+  let future_violation = futureViolation();
+  assert_throws_js(TypeError, () => setInnerHtml(toBeModified, "'test'"));
+  let violation = await future_violation;
+  // TODO(https://crbug.com/1113163): Consider exposing the full path of the
+  // cross-origin script here instead of just its origin.
+  assert_equals(violation.sourceFile, script_origin);
+}, "cross-origin script")
+
+// TODO(arthursonzogni): Check what happens with redirects. Do we report the
+// request's URL or the response's URL?
+
+</script>
+</body>