Unify naming of unsanitized Trusted Type policy

This change renames Trusted Type policy in jstemplate to unsanitizedPolicy, so that Gerrit or some other tools can use or monitor this keyword as a way to add specific reviewers. Bug: 41905 Change-Id: I3e23607f0407ea986898b4f58f4eb206dcd56a8c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2298291 Auto-Submit: Jun Kokatsu <Jun.Kokatsu@microsoft.com> Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Jun Kokatsu <Jun.Kokatsu@microsoft.com> Cr-Commit-Position: refs/heads/master@{#788454}

Unify naming of unsanitized Trusted Type policy
This change renames Trusted Type policy in jstemplate to unsanitizedPolicy, so that Gerrit or some other tools can use or monitor this keyword as a way to add specific reviewers. Bug: 41905 Change-Id: I3e23607f0407ea986898b4f58f4eb206dcd56a8c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2298291 Auto-Submit: Jun Kokatsu <Jun.Kokatsu@microsoft.com> Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Jun Kokatsu <Jun.Kokatsu@microsoft.com> Cr-Commit-Position: refs/heads/master@{#788454}
4ee8098d · Jun Kokatsu · Commit Bot · bc319a90 · 4ee8098d
Commit 4ee8098d authored Jul 15, 2020 by Jun Kokatsu Committed by Commit Bot Jul 15, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 18 deletions

third_party/jstemplate/jsevalcontext.js third_party/jstemplate/jsevalcontext.js +14 -18

No files found.
--- a/third_party/jstemplate/jsevalcontext.js
+++ b/third_party/jstemplate/jsevalcontext.js
@@ -305,25 +305,21 @@ JsEvalContext.prototype.evalExpression = function(expr, opt_template) {
 /**
 * This is used to create TrustedScript.
 *
- * @type {TrustedTypePolicy|undefined}
+ * @type {!TrustedTypePolicy}
 */
-let opaqueScriptPolicy;
+let unsanitizedPolicy;
 if (window.trustedTypes) {
-  opaqueScriptPolicy =
-      trustedTypes.createPolicy('jstemplate', {
-        createScript: opaqueScript => {
-          // This is relatively safe because attribute's values can
-          // only reach here with `JsEvalContext` bootstrap. And even
-          // if opaqueScript calls dangerous sinks (e.g. innerHTML),
-          // it'll still be subject to type check with Trusted Types.
-          // This could be exploited if bootstrap is called with an
-          // event which can be triggered after the page load
-          // (e.g. onclick).
-          // TODO(crbug.com/525224): Eliminate the use of jstemplate
-          // in WebUI
-          return opaqueScript;
-        },
-      });
+  // This is relatively safe because attribute's values can
+  // only reach here with `JsEvalContext` bootstrap. And even
+  // if opaqueScript calls dangerous sinks (e.g. innerHTML),
+  // it'll still be subject to type check with Trusted Types.
+  // This could be exploited if bootstrap is called with an
+  // event which can be triggered after the page load
+  // (e.g. onclick).
+  // TODO(crbug.com/525224): Eliminate the use of jstemplate
+  // in WebUI
+  unsanitizedPolicy = trustedTypes.createPolicy(
+      'jstemplate', {createScript: opaqueScript => opaqueScript});
 }


@@ -351,7 +347,7 @@ function jsEvalToFunction(expr) {
      /** @type {string} */
      const f = `(function(a_, b_) { with (a_) with (b_) return ${expr} })`;
      /** @type {!TrustedScript|string} */
-      const opaqueExpr = window.trustedTypes ? opaqueScriptPolicy.createScript(f) : f;
+      const opaqueExpr = window.trustedTypes ? unsanitizedPolicy.createScript(f) : f;

      // TODO(crbug.com/1087743): Support Function constructor in Trusted Types
      // TODO(crbug.com/1091600): Support TrustedScript type as an argument to