Make Trusted Types ununforgeable.

Context: https://github.com/w3c/webappsec-trusted-types/issues/257

Bug: 1058400
Change-Id: Ie91e8ad7e8eff814e3aaa1d940ca0bc1d6c2f09e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089705Reviewed-by: Yifan Luo <lyf@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#748022}

third_party/blink/renderer/core/frame/window.idl

@@ -209,7 +209,7 @@
     [DisableInNewIDLCompiler] attribute DOMMatrixConstructor WebKitCSSMatrix;
 
     // TrustedTypes API: http://github.com/wicg/trusted-types
-    [RuntimeEnabled=TrustedDOMTypes, Unforgeable] readonly attribute TrustedTypePolicyFactory trustedTypes;
+    [RuntimeEnabled=TrustedDOMTypes] readonly attribute TrustedTypePolicyFactory trustedTypes;
 };
 
 Window includes GlobalEventHandlers;

third_party/blink/renderer/core/trustedtypes/trusted_type_policy.idl

@@ -10,8 +10,8 @@ typedef (DOMString or TrustedHTML or TrustedScript or TrustedScriptURL) TrustedS
     Exposed=Window,
     RuntimeEnabled=TrustedDOMTypes
 ] interface TrustedTypePolicy {
-    [Unforgeable] readonly attribute DOMString name;
-    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedHTML createHTML(DOMString input, any... args);
-    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedScript createScript(DOMString input, any... args);
-    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedScriptURL createScriptURL(DOMString input, any... args);
+    readonly attribute DOMString name;
+    [CallWith=ScriptState, RaisesException] TrustedHTML createHTML(DOMString input, any... args);
+    [CallWith=ScriptState, RaisesException] TrustedScript createScript(DOMString input, any... args);
+    [CallWith=ScriptState, RaisesException] TrustedScriptURL createScriptURL(DOMString input, any... args);
 };

third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.idl

@@ -8,14 +8,14 @@
     Exposed=(Window, Worker),
     RuntimeEnabled=TrustedDOMTypes
 ] interface TrustedTypePolicyFactory {
-    [RaisesException, Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
-    [Unforgeable] readonly attribute TrustedTypePolicy defaultPolicy;
+    [RaisesException] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
+    readonly attribute TrustedTypePolicy defaultPolicy;
     // All the policy object names that have been created
-    [CallWith=ScriptState, Unforgeable] boolean isHTML(any checkedObject);
-    [CallWith=ScriptState, Unforgeable] boolean isScript(any checkedObject);
-    [CallWith=ScriptState, Unforgeable] boolean isScriptURL(any checkedObject);
-    [Unforgeable] readonly attribute TrustedHTML emptyHTML;
-    [Unforgeable] readonly attribute TrustedScript emptyScript;
+    [CallWith=ScriptState] boolean isHTML(any checkedObject);
+    [CallWith=ScriptState] boolean isScript(any checkedObject);
+    [CallWith=ScriptState] boolean isScriptURL(any checkedObject);
+    readonly attribute TrustedHTML emptyHTML;
+    readonly attribute TrustedScript emptyScript;
 
     // Trusted Types metadata, following the proposal in:
     // https://github.com/WICG/trusted-types/pull/149/commits/ecd9ab0b6993674951bfc7b44a04530fce7468a7

third_party/blink/renderer/core/workers/worker_global_scope.idl

@@ -75,7 +75,7 @@
     readonly attribute FontFaceSet fonts;
 
     // TrustedTypes API: http://github.com/wicg/trusted-types
-    [RuntimeEnabled=TrustedDOMTypes, Unforgeable] readonly attribute TrustedTypePolicyFactory trustedTypes;
+    [RuntimeEnabled=TrustedDOMTypes] readonly attribute TrustedTypePolicyFactory trustedTypes;
 };
 
 WorkerGlobalScope includes WindowOrWorkerGlobalScope;

third_party/blink/web_tests/external/wpt/interfaces/trusted-types.tentative.idl

@@ -4,33 +4,43 @@ typedef (DOMString or TrustedHTML) HTMLString;
 typedef (DOMString or TrustedScript) ScriptString;
 typedef (DOMString or TrustedScriptURL) ScriptURLString;
 
-[Exposed=(Window, Worker)]
-interface TrustedHTML {
+[
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedHTML {
     stringifier;
 };
 
-[Exposed=(Window, Worker)]
-interface TrustedScript {
+[
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedScript {
     stringifier;
 };
 
-[Exposed=(Window, Worker)]
-interface TrustedScriptURL {
+[
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedScriptURL {
     stringifier;
 };
 
-[Exposed=(Window, Worker)]
-interface TrustedTypePolicyFactory {
-    [Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
+[
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedTypePolicyFactory {
+    TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
     // All the policy object names that have been created
 };
 
-[Exposed=(Window, Worker)]
-interface TrustedTypePolicy {
-    [Unforgeable] readonly attribute DOMString name;
-    [Unforgeable] TrustedHTML createHTML(DOMString input);
-    [Unforgeable] TrustedScript createScript(DOMString input);
-    [Unforgeable] TrustedScriptURL createScriptURL(DOMString input);
+[
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedTypePolicy {
+    readonly attribute DOMString name;
+    TrustedHTML createHTML(DOMString input);
+    TrustedScript createScript(DOMString input);
+    TrustedScriptURL createScriptURL(DOMString input);
 };
 
 dictionary TrustedTypePolicyOptions {

third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.html

@@ -82,40 +82,4 @@
     assert_false(trustedTypes.isScriptURL('test'));
     assert_false(trustedTypes.isScriptURL({}));
   }, 'TrustedTypePolicyFactory.isXXX should accept anything without throwing.');
-
-  // Redefinition tests, assign to property.
-  // (Assignments will through in the polyfill (because the objects are frozen)
-  //  but will be silently dropped in the native implementation (because that's
-  //  what [Unforgeable] does. Hence, the tests use try {..} catch {} to cover
-  //  both situationsm rather than expect_throws(...).)
-  test(t => {
-    try { trustedTypes.isHTML = () => 'fake'; } catch { }
-    assert_false(trustedTypes.isHTML({}));
-  }, 'TrustedTypePolicyFactory.IsHTML cannot be redefined.');
-
-  test(t => {
-    try { trustedTypes.isScript = () => 'fake'; } catch { }
-    assert_false(trustedTypes.isScript({}));
-  }, 'TrustedTypePolicyFactory.isScript cannot be redefined.');
-
-  test(t => {
-    try { trustedTypes.isScriptURL = () => 'fake'; } catch { }
-    assert_false(trustedTypes.isScriptURL({}));
-  }, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined.');
-
-  // Redefinition tests, via Object.defineProperty.
-  test(t => {
-    try { Object.defineProperty(trustedTypes, 'isHTML', () => 'fake'); } catch { }
-    assert_false(trustedTypes.isHTML({}));
-  }, 'TrustedTypePolicyFactory.IsHTML cannot be redefined via defineProperty.');
-
-  test(t => {
-    try { Object.defineProperty(trustedTypes, 'isScript', () => 'fake'); } catch { }
-    assert_false(trustedTypes.isScript({}));
-  }, 'TrustedTypePolicyFactory.isScript cannot be redefined via definePropert.');
-
-  test(t => {
-    try { Object.defineProperty(trustedTypes, 'isScriptURL', () => 'fake'); } catch { }
-    assert_false(trustedTypes.isScriptURL({}));
-  }, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined via definePropert.');
 </script>

third_party/blink/web_tests/http/tests/serviceworker/webexposed/global-interface-listing-service-worker-expected.txt

@@ -1426,10 +1426,17 @@ interface TransformStream
     method constructor
 interface TrustedTypePolicyFactory
     attribute @@toStringTag
+    getter defaultPolicy
+    getter emptyHTML
+    getter emptyScript
     method constructor
+    method createPolicy
     method getAttributeType
     method getPropertyType
     method getTypeMapping
+    method isHTML
+    method isScript
+    method isScriptURL
 interface URL
     attribute @@toStringTag
     getter hash
@@ -3702,6 +3709,7 @@ interface WorkerGlobalScope : EventTarget
     getter origin
     getter performance
     getter self
+    getter trustedTypes
     method atob
     method btoa
     method clearInterval
@@ -3802,7 +3810,6 @@ interface WritableStreamDefaultWriter
     getter onsync
     getter registration
     getter serviceWorker
-    getter trustedTypes
     method gc
     method skipWaiting
     setter cookieStore

third_party/blink/web_tests/webexposed/global-interface-listing-dedicated-worker-expected.txt

@@ -1357,10 +1357,17 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     method constructor
 [Worker] interface TrustedTypePolicyFactory
 [Worker]     attribute @@toStringTag
+[Worker]     getter defaultPolicy
+[Worker]     getter emptyHTML
+[Worker]     getter emptyScript
 [Worker]     method constructor
+[Worker]     method createPolicy
 [Worker]     method getAttributeType
 [Worker]     method getPropertyType
 [Worker]     method getTypeMapping
+[Worker]     method isHTML
+[Worker]     method isScript
+[Worker]     method isScriptURL
 [Worker] interface URL
 [Worker]     static method createObjectURL
 [Worker]     static method revokeObjectURL
@@ -3752,6 +3759,7 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     getter origin
 [Worker]     getter performance
 [Worker]     getter self
+[Worker]     getter trustedTypes
 [Worker]     method atob
 [Worker]     method btoa
 [Worker]     method clearInterval
@@ -3880,7 +3888,6 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     getter name
 [Worker]     getter onmessage
 [Worker]     getter onmessageerror
-[Worker]     getter trustedTypes
 [Worker]     method cancelAnimationFrame
 [Worker]     method close
 [Worker]     method gc

third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt

@@ -8436,13 +8436,24 @@ interface TrustedScriptURL
     method toString
 interface TrustedTypePolicy
     attribute @@toStringTag
+    getter name
     method constructor
+    method createHTML
+    method createScript
+    method createScriptURL
 interface TrustedTypePolicyFactory
     attribute @@toStringTag
+    getter defaultPolicy
+    getter emptyHTML
+    getter emptyScript
     method constructor
+    method createPolicy
     method getAttributeType
     method getPropertyType
     method getTypeMapping
+    method isHTML
+    method isScript
+    method isScriptURL
 interface UIEvent : Event
     attribute @@toStringTag
     getter detail

third_party/blink/web_tests/webexposed/global-interface-listing-shared-worker-expected.txt

@@ -1303,10 +1303,17 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     method constructor
 [Worker] interface TrustedTypePolicyFactory
 [Worker]     attribute @@toStringTag
+[Worker]     getter defaultPolicy
+[Worker]     getter emptyHTML
+[Worker]     getter emptyScript
 [Worker]     method constructor
+[Worker]     method createPolicy
 [Worker]     method getAttributeType
 [Worker]     method getPropertyType
 [Worker]     method getTypeMapping
+[Worker]     method isHTML
+[Worker]     method isScript
+[Worker]     method isScriptURL
 [Worker] interface URL
 [Worker]     static method createObjectURL
 [Worker]     static method revokeObjectURL
@@ -3574,6 +3581,7 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     getter origin
 [Worker]     getter performance
 [Worker]     getter self
+[Worker]     getter trustedTypes
 [Worker]     method atob
 [Worker]     method btoa
 [Worker]     method clearInterval
@@ -3701,7 +3709,6 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     attribute internals
 [Worker]     getter name
 [Worker]     getter onconnect
-[Worker]     getter trustedTypes
 [Worker]     method close
 [Worker]     method gc
 [Worker]     method webkitRequestFileSystem