Bug 1805632 - Add a new pref just for Element.setHTML without enabling the Sanitizer interface. r=freddyb,webidl,edgar

The purpose of this is to allow using setHTML(text), without specifiying the sanitizer and thus always getting
the default sanitizer policy.

Differential Revision: https://phabricator.services.mozilla.com/D164677

dom/security/sanitizer/tests/mochitest/mochitest.ini

@@ -1,6 +1,7 @@
 [DEFAULT]
 prefs =
   dom.security.sanitizer.enabled=true
+  dom.security.setHTML.enabled=true
   dom.security.sanitizer.rewrite_no_bounty=true
 scheme=https
 [test_sanitizer_api.html]

dom/webidl/Element.webidl

@@ -401,6 +401,6 @@ dictionary SetHTMLOptions {
 };
 
 partial interface Element {
-  [SecureContext, UseCounter, Throws, Pref="dom.security.sanitizer.enabled"]
+  [SecureContext, UseCounter, Throws, Pref="dom.security.setHTML.enabled"]
   undefined setHTML(DOMString aInnerHTML, optional SetHTMLOptions options = {});
 };

modules/libpref/init/StaticPrefList.yaml

@@ -3705,6 +3705,13 @@
   value: false
   mirror: always
 
+# Pref that controls the Element.setHTML API idenpendetly of the sanitizer
+# API.
+- name: dom.security.setHTML.enabled
+  type: bool
+  value: false
+  mirror: always
+
 # The Sanitizer implementation is currently being rewritten and
 # is known to be incomplete. Fuzzing and testing and this point
 # would be premature.

testing/web-platform/meta/sanitizer-api/__dir__.ini

@@ -1 +1 @@
-prefs: [dom.security.sanitizer.enabled:true, dom.security.sanitizer.rewrite_no_bounty:true]
+prefs: [dom.security.sanitizer.enabled:true, dom.security.setHTML.enabled:true, dom.security.sanitizer.rewrite_no_bounty:true]