Bug 1637195 [wpt PR 23525] - Remove the `[SecureContext]` restriction from Trusted Types., a=testonly

Automatic update from web-platform-tests Remove the `[SecureContext]` restriction from Trusted Types. While it's reasonable to exclude new APIs from non-secure contexts, the ancestry requirements allow attackers to disable restricted APIs from embedded contexts. This is usually excellent, as it means that data won't leak from secure to non-secure contexts. For security features, on the other hand, this gives the attacker some advantage with regard to embedded contexts' mitigtions. This is unfortunate, and this patch removes the restriction to ensure that embedded contexts can continue to mitigate the effect of XSS attack by reverting https://crrev.com/c/2093214 and https://crrev.com/c/2098076. Bug: 1059554 Change-Id: Ib948437310509f1d29cacff1e6c74ab7cbc30d11 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2195965 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#767894} -- wpt-commits: 094353fedf808caf83e82b4959b5edf02e1be92e wpt-pr: 23525
2020-05-20 16:59:26 +00:00 · 2020-05-20 16:59:26 +00:00 · 84c3aac2d2
--- a/testing/web-platform/tests/lint.ignore
+++ b/testing/web-platform/tests/lint.ignore
@ -201,8 +201,8 @@ SET TIMEOUT: service-workers/service-worker/resources/resource-timing-worker.js
 SET TIMEOUT: shadow-dom/Document-prototype-currentScript.html
 SET TIMEOUT: shadow-dom/scroll-to-the-fragment-in-shadow-tree.html
 SET TIMEOUT: shadow-dom/slotchange-event.html
-SET TIMEOUT: trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.https.html
-SET TIMEOUT: trusted-types/DOMWindowTimers-setTimeout-setInterval.tentative.https.html
+SET TIMEOUT: trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
+SET TIMEOUT: trusted-types/DOMWindowTimers-setTimeout-setInterval.tentative.html
 SET TIMEOUT: user-timing/*
 SET TIMEOUT: web-animations/timing-model/animations/*
 SET TIMEOUT: webaudio/the-audio-api/the-mediaelementaudiosourcenode-interface/mediaElementAudioSourceToScriptProcessorTest.html
--- a/testing/web-platform/tests/trusted-types/DOMParser-parseFromString-regression.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/DOMParser-parseFromString-regression.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/DOMParser-parseFromString.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/DOMParser-parseFromString.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/DOMWindowTimers-setTimeout-setInterval.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/DOMWindowTimers-setTimeout-setInterval.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Document-write.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Document-write.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Element-insertAdjacentHTML.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Element-insertAdjacentHTML.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Element-insertAdjacentText.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Element-insertAdjacentText.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Element-outerHTML.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Element-outerHTML.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Element-setAttribute.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Element-setAttribute.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Element-setAttributeNS.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Element-setAttributeNS.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/GlobalEventHandlers-onclick.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/GlobalEventHandlers-onclick.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/HTMLElement-generic.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/HTMLElement-generic.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/HTMLScriptElement-internal-slot.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/HTMLScriptElement-internal-slot.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Node-multiple-arguments.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Node-multiple-arguments.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Range-createContextualFragment.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Range-createContextualFragment.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedType-AttributeNodes.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedType-AttributeNodes.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicy-CSP-no-name.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicy-CSP-no-name.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicy-CSP-wildcard.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicy-CSP-wildcard.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicy-createXXX.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicy-createXXX.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-constants.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-constants.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-createXYZTests.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-createXYZTests.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-noNamesGiven.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-wildcard.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests-wildcard.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-cspTests.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-nameTests.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-nameTests.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-unenforced.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-unenforced.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-defaultPolicy.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-defaultPolicy.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/Window-TrustedTypes.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/Window-TrustedTypes.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/WorkerGlobalScope-importScripts.https.html
+++ b/testing/web-platform/tests/trusted-types/WorkerGlobalScope-importScripts.https.html
--- a/testing/web-platform/tests/trusted-types/block-Node-multiple-arguments.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-Node-multiple-arguments.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Document-write.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Document-write.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/block-text-node-insertion-into-script-element.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/block-text-node-insertion-into-script-element.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/csp-block-eval.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/csp-block-eval.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/default-policy-callback-arguments.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/default-policy-callback-arguments.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/default-policy.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/default-policy.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/default-policy.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/default-policy.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/empty-default-policy-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/empty-default-policy.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/empty-default-policy.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/empty-default-policy.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/empty-default-policy.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/eval-csp-no-tt.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/eval-csp-no-tt.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/eval-csp-tt-default-policy.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/eval-csp-tt-default-policy.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/eval-csp-tt-no-default-policy.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/eval-csp-tt-no-default-policy.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/eval-no-csp-no-tt-default-policy.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/eval-no-csp-no-tt-default-policy.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/eval-no-csp-no-tt.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/eval-no-csp-no-tt.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/eval-with-permissive-csp.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/eval-with-permissive-csp.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/idlharness.tentative.https.window.js
+++ b/testing/web-platform/tests/trusted-types/idlharness.tentative.https.window.js
--- a/testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/no-require-trusted-types-for-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/no-require-trusted-types-for.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/no-require-trusted-types-for.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/nonsecure-require-trusted-types-for.tentative.html
+++ b/testing/web-platform/tests/trusted-types/nonsecure-require-trusted-types-for.tentative.html
@ -1,24 +0,0 @@
-<!DOCTYPE html>
-<head>
-  <script src="/resources/testharness.js"></script>
-  <script src="/resources/testharnessreport.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
-</head>
-<body>
-<script>
-  const testCases = [
-    ["script", "src"],
-    ["div", "innerHTML"],
-    ["script", "text"],
-  ];
-
-  testCases.forEach(c => {
-    const name = `${c[0]}.${c[1]} `;
-    test(t => {
-      s = document.createElement(c[0]);
-      s[c[1]] = "https://example.com/";
-      assert_equals("https://example.com/", s[c[1]].toString());
-    }, name + "without trusted types is not blocked by require-trusted-types-for on non-secure pages");
-  });
-</script>
-</body>
--- a/testing/web-platform/tests/trusted-types/nonsecure-require-trusted-types-for.tentative.html.headers
+++ b/testing/web-platform/tests/trusted-types/nonsecure-require-trusted-types-for.tentative.html.headers
@ -1 +0,0 @@
-Content-Security-Policy: require-trusted-types-for 'script'
--- a/testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/require-trusted-types-for.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/require-trusted-types-for.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-createHTMLDocument.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-createHTMLDocument.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names-list-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names-list-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names-list-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names-list-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names-list.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names-list.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-duplicate-names.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-navigation.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-navigation.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-reporting-check-report.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-reporting-check-report.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-reporting-check-report.https.html.sub.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-reporting-check-report.https.html.sub.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html.headers
+++ b/testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html.headers
--- a/testing/web-platform/tests/trusted-types/trusted-types-svg-script.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/trusted-types-svg-script.tentative.https.html
--- a/testing/web-platform/tests/trusted-types/tt-block-eval.tentative.https.html
+++ b/testing/web-platform/tests/trusted-types/tt-block-eval.tentative.https.html
				`@ -1 +0,0 @@`
				`Content-Security-Policy: require-trusted-types-for 'script'`