Make Trusted Types ununforgeable.

Context: https://github.com/w3c/webappsec-trusted-types/issues/257 Bug: 1058400 Change-Id: Ie91e8ad7e8eff814e3aaa1d940ca0bc1d6c2f09e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089705Reviewed-by: Yifan Luo <lyf@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#748022}

Make Trusted Types ununforgeable.
Context: https://github.com/w3c/webappsec-trusted-types/issues/257 Bug: 1058400 Change-Id: Ie91e8ad7e8eff814e3aaa1d940ca0bc1d6c2f09e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089705Reviewed-by: Yifan Luo <lyf@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#748022}
7c4c1500 · Mike West · Commit Bot · 4e6e084b · 7c4c1500 · 7c4c1500
Commit 7c4c1500 authored Mar 07, 2020 by Mike West Committed by Commit Bot Mar 07, 2020
10 changed files
--- a/third_party/blink/renderer/core/frame/window.idl
+++ b/third_party/blink/renderer/core/frame/window.idl
@@ -209,7 +209,7 @@
    [DisableInNewIDLCompiler] attribute DOMMatrixConstructor WebKitCSSMatrix;
    // TrustedTypes API: http://github.com/wicg/trusted-types
-    [RuntimeEnabled=TrustedDOMTypes, Unforgeable] readonly attribute TrustedTypePolicyFactory trustedTypes;
+    [RuntimeEnabled=TrustedDOMTypes] readonly attribute TrustedTypePolicyFactory trustedTypes;
 };
 Window includes GlobalEventHandlers;

--- a/third_party/blink/renderer/core/trustedtypes/trusted_type_policy.idl
+++ b/third_party/blink/renderer/core/trustedtypes/trusted_type_policy.idl
@@ -10,8 +10,8 @@ typedef (DOMString or TrustedHTML or TrustedScript or TrustedScriptURL) TrustedS
    Exposed=Window,
    RuntimeEnabled=TrustedDOMTypes
 ] interface TrustedTypePolicy {
-    [Unforgeable] readonly attribute DOMString name;
+    readonly attribute DOMString name;
-    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedHTML createHTML(DOMString input, any... args);
+    [CallWith=ScriptState, RaisesException] TrustedHTML createHTML(DOMString input, any... args);
-    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedScript createScript(DOMString input, any... args);
+    [CallWith=ScriptState, RaisesException] TrustedScript createScript(DOMString input, any... args);
-    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedScriptURL createScriptURL(DOMString input, any... args);
+    [CallWith=ScriptState, RaisesException] TrustedScriptURL createScriptURL(DOMString input, any... args);
 };
--- a/third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.idl
+++ b/third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.idl
@@ -8,14 +8,14 @@
    Exposed=(Window, Worker),
    RuntimeEnabled=TrustedDOMTypes
 ] interface TrustedTypePolicyFactory {
-    [RaisesException, Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
+    [RaisesException] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
-    [Unforgeable] readonly attribute TrustedTypePolicy defaultPolicy;
+    readonly attribute TrustedTypePolicy defaultPolicy;
    // All the policy object names that have been created
-    [CallWith=ScriptState, Unforgeable] boolean isHTML(any checkedObject);
+    [CallWith=ScriptState] boolean isHTML(any checkedObject);
-    [CallWith=ScriptState, Unforgeable] boolean isScript(any checkedObject);
+    [CallWith=ScriptState] boolean isScript(any checkedObject);
-    [CallWith=ScriptState, Unforgeable] boolean isScriptURL(any checkedObject);
+    [CallWith=ScriptState] boolean isScriptURL(any checkedObject);
-    [Unforgeable] readonly attribute TrustedHTML emptyHTML;
+    readonly attribute TrustedHTML emptyHTML;
-    [Unforgeable] readonly attribute TrustedScript emptyScript;
+    readonly attribute TrustedScript emptyScript;
    // Trusted Types metadata, following the proposal in:
    // https://github.com/WICG/trusted-types/pull/149/commits/ecd9ab0b6993674951bfc7b44a04530fce7468a7

--- a/third_party/blink/renderer/core/workers/worker_global_scope.idl
+++ b/third_party/blink/renderer/core/workers/worker_global_scope.idl
@@ -75,7 +75,7 @@
    readonly attribute FontFaceSet fonts;
    // TrustedTypes API: http://github.com/wicg/trusted-types
-    [RuntimeEnabled=TrustedDOMTypes, Unforgeable] readonly attribute TrustedTypePolicyFactory trustedTypes;
+    [RuntimeEnabled=TrustedDOMTypes] readonly attribute TrustedTypePolicyFactory trustedTypes;
 };
 WorkerGlobalScope includes WindowOrWorkerGlobalScope;

--- a/third_party/blink/web_tests/external/wpt/interfaces/trusted-types.tentative.idl
+++ b/third_party/blink/web_tests/external/wpt/interfaces/trusted-types.tentative.idl
@@ -4,33 +4,43 @@ typedef (DOMString or TrustedHTML) HTMLString;
 typedef (DOMString or TrustedScript) ScriptString;
 typedef (DOMString or TrustedScriptURL) ScriptURLString;
-[Exposed=(Window, Worker)]
+[
-interface TrustedHTML {
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedHTML {
    stringifier;
 };
-[Exposed=(Window, Worker)]
+[
-interface TrustedScript {
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedScript {
    stringifier;
 };
-[Exposed=(Window, Worker)]
+[
-interface TrustedScriptURL {
+  Exposed=(Window, Worker),
+  SecureContext
+] interface TrustedScriptURL {
    stringifier;
 };
-[Exposed=(Window, Worker)]
+[
-interface TrustedTypePolicyFactory {
+  Exposed=(Window, Worker),
-    [Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
+  SecureContext
+] interface TrustedTypePolicyFactory {
+    TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
    // All the policy object names that have been created
 };
-[Exposed=(Window, Worker)]
+[
-interface TrustedTypePolicy {
+  Exposed=(Window, Worker),
-    [Unforgeable] readonly attribute DOMString name;
+  SecureContext
-    [Unforgeable] TrustedHTML createHTML(DOMString input);
+] interface TrustedTypePolicy {
-    [Unforgeable] TrustedScript createScript(DOMString input);
+    readonly attribute DOMString name;
-    [Unforgeable] TrustedScriptURL createScriptURL(DOMString input);
+    TrustedHTML createHTML(DOMString input);
+    TrustedScript createScript(DOMString input);
+    TrustedScriptURL createScriptURL(DOMString input);
 };
 dictionary TrustedTypePolicyOptions {

--- a/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.html
@@ -82,40 +82,4 @@
    assert_false(trustedTypes.isScriptURL('test'));
    assert_false(trustedTypes.isScriptURL({}));
  }, 'TrustedTypePolicyFactory.isXXX should accept anything without throwing.');
-  // Redefinition tests, assign to property.
-  // (Assignments will through in the polyfill (because the objects are frozen)
-  //  but will be silently dropped in the native implementation (because that's
-  //  what [Unforgeable] does. Hence, the tests use try {..} catch {} to cover
-  //  both situationsm rather than expect_throws(...).)
-  test(t => {
-    try { trustedTypes.isHTML = () => 'fake'; } catch { }
-    assert_false(trustedTypes.isHTML({}));
-  }, 'TrustedTypePolicyFactory.IsHTML cannot be redefined.');
-  test(t => {
-    try { trustedTypes.isScript = () => 'fake'; } catch { }
-    assert_false(trustedTypes.isScript({}));
-  }, 'TrustedTypePolicyFactory.isScript cannot be redefined.');
-  test(t => {
-    try { trustedTypes.isScriptURL = () => 'fake'; } catch { }
-    assert_false(trustedTypes.isScriptURL({}));
-  }, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined.');
-  // Redefinition tests, via Object.defineProperty.
-  test(t => {
-    try { Object.defineProperty(trustedTypes, 'isHTML', () => 'fake'); } catch { }
-    assert_false(trustedTypes.isHTML({}));
-  }, 'TrustedTypePolicyFactory.IsHTML cannot be redefined via defineProperty.');
-  test(t => {
-    try { Object.defineProperty(trustedTypes, 'isScript', () => 'fake'); } catch { }
-    assert_false(trustedTypes.isScript({}));
-  }, 'TrustedTypePolicyFactory.isScript cannot be redefined via definePropert.');
-  test(t => {
-    try { Object.defineProperty(trustedTypes, 'isScriptURL', () => 'fake'); } catch { }
-    assert_false(trustedTypes.isScriptURL({}));
-  }, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined via definePropert.');
 </script>
--- a/third_party/blink/web_tests/http/tests/serviceworker/webexposed/global-interface-listing-service-worker-expected.txt
+++ b/third_party/blink/web_tests/http/tests/serviceworker/webexposed/global-interface-listing-service-worker-expected.txt
@@ -1426,10 +1426,17 @@ interface TransformStream
    method constructor
 interface TrustedTypePolicyFactory
    attribute @@toStringTag
+    getter defaultPolicy
+    getter emptyHTML
+    getter emptyScript
    method constructor
+    method createPolicy
    method getAttributeType
    method getPropertyType
    method getTypeMapping
+    method isHTML
+    method isScript
+    method isScriptURL
 interface URL
    attribute @@toStringTag
    getter hash
@@ -3702,6 +3709,7 @@ interface WorkerGlobalScope : EventTarget
    getter origin
    getter performance
    getter self
+    getter trustedTypes
    method atob
    method btoa
    method clearInterval
@@ -3802,7 +3810,6 @@ interface WritableStreamDefaultWriter
    getter onsync
    getter registration
    getter serviceWorker
-    getter trustedTypes
    method gc
    method skipWaiting
    setter cookieStore

--- a/third_party/blink/web_tests/webexposed/global-interface-listing-dedicated-worker-expected.txt
+++ b/third_party/blink/web_tests/webexposed/global-interface-listing-dedicated-worker-expected.txt
@@ -1357,10 +1357,17 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     method constructor
 [Worker] interface TrustedTypePolicyFactory
 [Worker]     attribute @@toStringTag
+[Worker]     getter defaultPolicy
+[Worker]     getter emptyHTML
+[Worker]     getter emptyScript
 [Worker]     method constructor
+[Worker]     method createPolicy
 [Worker]     method getAttributeType
 [Worker]     method getPropertyType
 [Worker]     method getTypeMapping
+[Worker]     method isHTML
+[Worker]     method isScript
+[Worker]     method isScriptURL
 [Worker] interface URL
 [Worker]     static method createObjectURL
 [Worker]     static method revokeObjectURL
@@ -3752,6 +3759,7 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     getter origin
 [Worker]     getter performance
 [Worker]     getter self
+[Worker]     getter trustedTypes
 [Worker]     method atob
 [Worker]     method btoa
 [Worker]     method clearInterval
@@ -3880,7 +3888,6 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     getter name
 [Worker]     getter onmessage
 [Worker]     getter onmessageerror
-[Worker]     getter trustedTypes
 [Worker]     method cancelAnimationFrame
 [Worker]     method close
 [Worker]     method gc

--- a/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
+++ b/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
@@ -8436,13 +8436,24 @@ interface TrustedScriptURL
    method toString
 interface TrustedTypePolicy
    attribute @@toStringTag
+    getter name
    method constructor
+    method createHTML
+    method createScript
+    method createScriptURL
 interface TrustedTypePolicyFactory
    attribute @@toStringTag
+    getter defaultPolicy
+    getter emptyHTML
+    getter emptyScript
    method constructor
+    method createPolicy
    method getAttributeType
    method getPropertyType
    method getTypeMapping
+    method isHTML
+    method isScript
+    method isScriptURL
 interface UIEvent : Event
    attribute @@toStringTag
    getter detail

--- a/third_party/blink/web_tests/webexposed/global-interface-listing-shared-worker-expected.txt
+++ b/third_party/blink/web_tests/webexposed/global-interface-listing-shared-worker-expected.txt
@@ -1303,10 +1303,17 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     method constructor
 [Worker] interface TrustedTypePolicyFactory
 [Worker]     attribute @@toStringTag
+[Worker]     getter defaultPolicy
+[Worker]     getter emptyHTML
+[Worker]     getter emptyScript
 [Worker]     method constructor
+[Worker]     method createPolicy
 [Worker]     method getAttributeType
 [Worker]     method getPropertyType
 [Worker]     method getTypeMapping
+[Worker]     method isHTML
+[Worker]     method isScript
+[Worker]     method isScriptURL
 [Worker] interface URL
 [Worker]     static method createObjectURL
 [Worker]     static method revokeObjectURL
@@ -3574,6 +3581,7 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     getter origin
 [Worker]     getter performance
 [Worker]     getter self
+[Worker]     getter trustedTypes
 [Worker]     method atob
 [Worker]     method btoa
 [Worker]     method clearInterval
@@ -3701,7 +3709,6 @@ Starting worker: resources/global-interface-listing-worker.js
 [Worker]     attribute internals
 [Worker]     getter name
 [Worker]     getter onconnect
-[Worker]     getter trustedTypes
 [Worker]     method close
 [Worker]     method gc
 [Worker]     method webkitRequestFileSystem