[Trusted Types] Obey TT in createHTMLDocument-created documents.

This will pass on the Trusted Type enforcement requirement set by the CSP
header, but will not actually instantiate a TrustedTypePolicyFactory. That
plugs the current hole; but might not be an acceptable long-term solution.

Bug: 951536
Change-Id: I56d541d57184396ce1dacdac9236d9259189f621
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1886826
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#712226}

third_party/blink/renderer/core/dom/dom_implementation.cc

@@ -207,7 +207,8 @@ Document* DOMImplementation::createHTMLDocument(const String& title) {
       DocumentInit::Create()
           .WithContextDocument(document_->ContextDocument())
           .WithOwnerDocument(document_->ContextDocument())
-          .WithRegistrationContext(document_->RegistrationContext());
+          .WithRegistrationContext(document_->RegistrationContext())
+          .WithContentSecurityPolicy(document_->GetContentSecurityPolicy());
   auto* d = MakeGarbageCollected<HTMLDocument>(init);
   d->open();
   d->write("<!doctype html><html><head></head><body></body></html>");
@@ -219,6 +220,8 @@ Document* DOMImplementation::createHTMLDocument(const String& title) {
     title_element->AppendChild(d->createTextNode(title), ASSERT_NO_EXCEPTION);
   }
   d->SetContextFeatures(document_->GetContextFeatures());
+  if (document_->TrustedTypesRequiredByPolicy())
+    d->SetRequireTrustedTypes();
   return d;
 }
 

third_party/blink/renderer/core/trustedtypes/trusted_types_util.cc

@@ -147,7 +147,10 @@ bool TrustedTypeFail(TrustedTypeViolationKind kind,
 }
 
 TrustedTypePolicy* GetDefaultPolicy(const ExecutionContext* execution_context) {
-  return execution_context->GetTrustedTypes()->defaultPolicy();
+  DCHECK(execution_context);
+  return execution_context->GetTrustedTypes()
+             ? execution_context->GetTrustedTypes()->defaultPolicy()
+             : nullptr;
 }
 
 }  // namespace

third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-createHTMLDocument.tentative.html

+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/content-security-policy/support/testharness-helper.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+</head>
+<body>
+<script>
+
+test(t => {
+  function try_assign(doc) {
+    doc.createElement("script").textContent = "2+2";
+  }
+  assert_throws(new TypeError(),
+                _ => try_assign(document),
+                "Trusted Type assignment throws in main document");
+  assert_throws(new TypeError(),
+                _ => try_assign(document.implementation.createHTMLDocument("")),
+                "Trusted Type assignment throws in created document");
+}, "Trusted Types work in createHTMLDocument");
+
+test(t => {
+  const policy = trustedTypes.createPolicy("policy", {createHTML: x => x });
+  const value = policy.createHTML("hello");
+  const doc = document.implementation.createHTMLDocument("");
+  doc.body.innerHTML = value;
+  assert_equals(doc.body.textContent, "hello");
+  assert_throws(new TypeError(),
+                _ => { doc.body.innerHTML = "world"; },
+                "Cannot assign text value.");
+  assert_equals(doc.body.textContent, "hello");
+}, "Trusted Type instances can be used in createHTMLDocument");
+
+</script>
+</body>