Commit 01ffae85 authored by Stefano Sanfilippo's avatar Stefano Sanfilippo Committed by Commit Bot

[Trusted Types] Change violation resource to trusted-types-sink.

Following updates in the spec, see https://w3c.github.io/webappsec-trusted-types/dist/spec/#should-block-sink-type-mismatch.

Change-Id: Ia3622696068aaaa74cca7c1e08e475edd6b75016
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1829382
Commit-Queue: Stefano Sanfilippo <ssanfilippo@chromium.org>
Reviewed-by: default avatarAndy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#701109}
parent e16dd84b
...@@ -947,8 +947,8 @@ static void GatherSecurityPolicyViolationEventData( ...@@ -947,8 +947,8 @@ static void GatherSecurityPolicyViolationEventData(
StripURLForUseInReport(delegate->GetSecurityOrigin(), blocked_url, StripURLForUseInReport(delegate->GetSecurityOrigin(), blocked_url,
redirect_status, effective_type)); redirect_status, effective_type));
break; break;
case ContentSecurityPolicy::kTrustedTypesViolation: case ContentSecurityPolicy::kTrustedTypesSinkViolation:
init->setBlockedURI("trusted-types"); init->setBlockedURI("trusted-types-sink");
break; break;
case ContentSecurityPolicy::kTrustedTypesPolicyViolation: case ContentSecurityPolicy::kTrustedTypesPolicyViolation:
init->setBlockedURI("trusted-types-policy"); init->setBlockedURI("trusted-types-policy");
......
...@@ -144,7 +144,7 @@ class CORE_EXPORT ContentSecurityPolicy final ...@@ -144,7 +144,7 @@ class CORE_EXPORT ContentSecurityPolicy final
kInlineViolation, kInlineViolation,
kEvalViolation, kEvalViolation,
kURLViolation, kURLViolation,
kTrustedTypesViolation, kTrustedTypesSinkViolation,
kTrustedTypesPolicyViolation kTrustedTypesPolicyViolation
}; };
......
...@@ -337,7 +337,7 @@ bool CSPDirectiveList::AllowTrustedTypeAssignmentFailure( ...@@ -337,7 +337,7 @@ bool CSPDirectiveList::AllowTrustedTypeAssignmentFailure(
ContentSecurityPolicy::DirectiveType::kTrustedTypes), ContentSecurityPolicy::DirectiveType::kTrustedTypes),
ContentSecurityPolicy::DirectiveType::kTrustedTypes, message, ContentSecurityPolicy::DirectiveType::kTrustedTypes, message,
KURL(), RedirectStatus::kFollowedRedirect, KURL(), RedirectStatus::kFollowedRedirect,
ContentSecurityPolicy::kTrustedTypesViolation, sample); ContentSecurityPolicy::kTrustedTypesSinkViolation, sample);
return IsReportOnly(); return IsReportOnly();
} }
......
...@@ -68,7 +68,7 @@ ...@@ -68,7 +68,7 @@
function expect_blocked_uri(s) { return e => { function expect_blocked_uri(s) { return e => {
assert_true(e.blockedURI === s, assert_true(e.blockedURI === s,
`expected "${e.blockedUri}" to be "${s}".`); `expected "${e.blockedURI}" to be "${s}".`);
return e; return e;
} } } }
...@@ -154,6 +154,7 @@ ...@@ -154,6 +154,7 @@
promise_test(t => { promise_test(t => {
let p = Promise.resolve() let p = Promise.resolve()
.then(promise_violation("trusted-types two")) .then(promise_violation("trusted-types two"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("Element.innerHTML")) .then(expect_sample("Element.innerHTML"))
.then(expect_sample("abc")); .then(expect_sample("abc"));
expect_throws(_ => { document.getElementById("div").innerHTML = "abc" }); expect_throws(_ => { document.getElementById("div").innerHTML = "abc" });
...@@ -163,6 +164,7 @@ ...@@ -163,6 +164,7 @@
promise_test(t => { promise_test(t => {
let p = Promise.resolve() let p = Promise.resolve()
.then(promise_violation("trusted-types two")) .then(promise_violation("trusted-types two"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLAnchorElement.href")); .then(expect_sample("HTMLAnchorElement.href"));
expect_throws(_ => { document.getElementById("anchor").href = "" }); expect_throws(_ => { document.getElementById("anchor").href = "" });
return p; return p;
...@@ -171,6 +173,7 @@ ...@@ -171,6 +173,7 @@
promise_test(t => { promise_test(t => {
let p = Promise.resolve() let p = Promise.resolve()
.then(promise_violation("trusted-types two")) .then(promise_violation("trusted-types two"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLElement.innerText")) .then(expect_sample("HTMLElement.innerText"))
.then(expect_sample("2+2;")); .then(expect_sample("2+2;"));
expect_throws(_ => document.getElementById("script").innerText = "2+2;"); expect_throws(_ => document.getElementById("script").innerText = "2+2;");
...@@ -180,6 +183,7 @@ ...@@ -180,6 +183,7 @@
promise_test(t => { promise_test(t => {
let p = Promise.resolve() let p = Promise.resolve()
.then(promise_violation("trusted-types one")) .then(promise_violation("trusted-types one"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("eval")) .then(expect_sample("eval"))
.then(expect_sample("2+2")) .then(expect_sample("2+2"))
.then(promise_flush()); .then(promise_flush());
...@@ -193,6 +197,7 @@ ...@@ -193,6 +197,7 @@
// start of the value, but it should not be excessively long. // start of the value, but it should not be excessively long.
let p = Promise.resolve() let p = Promise.resolve()
.then(promise_violation("trusted-types two")) .then(promise_violation("trusted-types two"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLElement.innerText")) .then(expect_sample("HTMLElement.innerText"))
.then(expect_sample("abbb")) .then(expect_sample("abbb"))
.then(e => assert_less_than(e.sample.length, 150)); .then(e => assert_less_than(e.sample.length, 150));
...@@ -211,6 +216,7 @@ ...@@ -211,6 +216,7 @@
promise_test(t => { promise_test(t => {
let p = Promise.resolve() let p = Promise.resolve()
.then(promise_violation("trusted-types one")) .then(promise_violation("trusted-types one"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLAnchorElement.href")) .then(expect_sample("HTMLAnchorElement.href"))
.then(expect_sample("abc")); .then(expect_sample("abc"));
expect_throws(_ => document.getElementById("customlink").href = "abc"); expect_throws(_ => document.getElementById("customlink").href = "abc");
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment