Attribute case-insensivity for Trusted Type attribute assignments

Element::setAttribute() implementation with TrustedType modified to prevent insecure case-insensitive attributes change with strings. Bug: 739170 Change-Id: Ia0636f4791cbc204b679de510e5c676de817dd11 Reviewed-on: https://chromium-review.googlesource.com/1238539 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#595493}

Attribute case-insensivity for Trusted Type attribute assignments
Element::setAttribute() implementation with TrustedType modified to prevent insecure case-insensitive attributes change with strings. Bug: 739170 Change-Id: Ia0636f4791cbc204b679de510e5c676de817dd11 Reviewed-on: https://chromium-review.googlesource.com/1238539 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#595493}
a4bc9a82 · Maja Kabus · Commit Bot · dcd6161a · a4bc9a82 · a4bc9a82
Commit a4bc9a82 authored Oct 01, 2018 by Maja Kabus Committed by Commit Bot Oct 01, 2018
3 changed files
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
@@ -73,4 +73,14 @@
  test(t => {
    assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', null, 'null');
  }, "a.rel accepts null");
+  test(t => {
+    let el = document.createElement('iframe');
+    assert_throws(new TypeError(), _ => {
+      el.setAttribute('SrC', INPUTS.URL);
+    });
+    assert_equals(el.src, '');
+  }, "`Element.prototype.setAttribute.SrC = string` throws.");
 </script>
--- a/third_party/blink/renderer/core/dom/element.cc
+++ b/third_party/blink/renderer/core/dom/element.cc
@@ -1636,16 +1636,18 @@ void Element::setAttribute(
    const StringOrTrustedHTMLOrTrustedScriptOrTrustedScriptURLOrTrustedURL&
        string_or_TT,
    ExceptionState& exception_state) {
-  if (GetCheckedAttributeNames().Contains(name)) {
+  // TODO(vogelheim): Check whether this applies to non-HTML documents, too.
+  AtomicString name_lowercase = LowercaseIfNecessary(name);
+  if (GetCheckedAttributeNames().Contains(name_lowercase)) {
    String attr_value =
        GetStringFromTrustedType(string_or_TT, &GetDocument(), exception_state);
    if (!exception_state.HadException())
-      setAttribute(name, AtomicString(attr_value), exception_state);
+      setAttribute(name_lowercase, AtomicString(attr_value), exception_state);
    return;
  }
  AtomicString value_string =
      AtomicString(GetStringFromTrustedTypeWithoutCheck(string_or_TT));
-  setAttribute(name, value_string, exception_state);
+  setAttribute(name_lowercase, value_string, exception_state);
 }
 const HashSet<AtomicString>& Element::GetCheckedAttributeNames() const {

--- a/third_party/blink/renderer/core/html/html_object_element.cc
+++ b/third_party/blink/renderer/core/html/html_object_element.cc
@@ -72,7 +72,7 @@ void HTMLObjectElement::Trace(blink::Visitor* visitor) {
 const HashSet<AtomicString>& HTMLObjectElement::GetCheckedAttributeNames()
    const {
  DEFINE_STATIC_LOCAL(HashSet<AtomicString>, attribute_set,
-                      ({"data", "codeBase"}));
+                      ({"data", "codebase"}));
  return attribute_set;
 }