[Trusted Types] Prevent mutation of Trusted Types built-ins.

Bug: 739170 Change-Id: Iafeabd00f6dde0c1ecf055a5f9f006059e43c9f7 Reviewed-on: https://chromium-review.googlesource.com/c/1346449 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#611736}

[Trusted Types] Prevent mutation of Trusted Types built-ins.
Bug: 739170 Change-Id: Iafeabd00f6dde0c1ecf055a5f9f006059e43c9f7 Reviewed-on: https://chromium-review.googlesource.com/c/1346449 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#611736}
cd82fb1b · Daniel Vogelheim · Commit Bot · 1bbbd151 · cd82fb1b · cd82fb1b
Commit cd82fb1b authored Nov 28, 2018 by Daniel Vogelheim Committed by Commit Bot Nov 28, 2018
6 changed files
--- a/third_party/blink/renderer/core/frame/window.idl
+++ b/third_party/blink/renderer/core/frame/window.idl
@@ -228,7 +228,7 @@

    //TrustedTypes API
    //http://github.com/wicg/trusted-types
-    [RuntimeEnabled=TrustedDOMTypes] readonly attribute TrustedTypePolicyFactory TrustedTypes;
+    [RuntimeEnabled=TrustedDOMTypes, Unforgeable] readonly attribute TrustedTypePolicyFactory TrustedTypes;
 };

 Window implements GlobalEventHandlers;

--- a/third_party/blink/renderer/core/trustedtypes/trusted_type_policy.idl
+++ b/third_party/blink/renderer/core/trustedtypes/trusted_type_policy.idl
@@ -10,9 +10,9 @@ typedef (DOMString or TrustedHTML or TrustedScript or TrustedScriptURL or Truste
    Exposed=Window,
    RuntimeEnabled=TrustedDOMTypes
 ] interface TrustedTypePolicy {
-    readonly attribute DOMString name;
-    [CallWith=ScriptState, RaisesException] TrustedHTML createHTML(DOMString input);
-    [CallWith=ScriptState, RaisesException] TrustedScript createScript(DOMString input);
-    [CallWith=ScriptState, RaisesException] TrustedScriptURL createScriptURL(DOMString input);
-    [CallWith=ScriptState, RaisesException] TrustedURL createURL(DOMString input);
+    [Unforgeable] readonly attribute DOMString name;
+    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedHTML createHTML(DOMString input);
+    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedScript createScript(DOMString input);
+    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedScriptURL createScriptURL(DOMString input);
+    [CallWith=ScriptState, RaisesException, Unforgeable] TrustedURL createURL(DOMString input);
 };
--- a/third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.idl
+++ b/third_party/blink/renderer/core/trustedtypes/trusted_type_policy_factory.idl
@@ -8,12 +8,12 @@
    Exposed=Window,
    RuntimeEnabled=TrustedDOMTypes
 ] interface TrustedTypePolicyFactory {
-    [RaisesException] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions, optional boolean exposed = false);
-    TrustedTypePolicy getExposedPolicy(DOMString policyName);
+    [RaisesException, Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions, optional boolean exposed = false);
+    [Unforgeable] TrustedTypePolicy getExposedPolicy(DOMString policyName);
    // All the policy object names that have been created
-    [Affects=Nothing] sequence<DOMString> getPolicyNames();
-    [CallWith=ScriptState] boolean isHTML(object? checkedObject);
-    [CallWith=ScriptState] boolean isScript(object? checkedObject);
-    [CallWith=ScriptState] boolean isScriptURL(object? checkedObject);
-    [CallWith=ScriptState] boolean isURL(object? checkedObject);
+    [Affects=Nothing, Unforgeable] sequence<DOMString> getPolicyNames();
+    [CallWith=ScriptState, Unforgeable] boolean isHTML(object? checkedObject);
+    [CallWith=ScriptState, Unforgeable] boolean isScript(object? checkedObject);
+    [CallWith=ScriptState, Unforgeable] boolean isScriptURL(object? checkedObject);
+    [CallWith=ScriptState, Unforgeable] boolean isURL(object? checkedObject);
 };
--- a/third_party/blink/web_tests/external/wpt/interfaces/trusted-types.tentative.idl
+++ b/third_party/blink/web_tests/external/wpt/interfaces/trusted-types.tentative.idl
@@ -27,18 +27,18 @@ interface TrustedURL {

 [Exposed=Window]
 interface TrustedTypePolicyFactory {
-    TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
+    [Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
    // All the policy object names that have been created
-    sequence<DOMString> getPolicyNames();
+    [Unforgeable] sequence<DOMString> getPolicyNames();
 };

 [Exposed=Window]
 interface TrustedTypePolicy {
-    readonly attribute DOMString name;
-    TrustedHTML createHTML(DOMString input);
-    TrustedScript createScript(DOMString input);
-    TrustedScriptURL createScriptURL(DOMString input);
-    TrustedURL createURL(DOMString input);
+    [Unforgeable] readonly attribute DOMString name;
+    [Unforgeable] TrustedHTML createHTML(DOMString input);
+    [Unforgeable] TrustedScript createScript(DOMString input);
+    [Unforgeable] TrustedScriptURL createScriptURL(DOMString input);
+    [Unforgeable] TrustedURL createURL(DOMString input);
 };

 dictionary TrustedTypePolicyOptions {

--- a/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.html
+++ b/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.html
@@ -82,37 +82,50 @@
    assert_false(TrustedTypes.isURL(url3));
  }, 'TrustedTypePolicyFactory.isURL requires the object to be created via policy.');

-  // Redefinition tests
-  // TODO(vogelheim): Implement TrustedTypes (& policy objects) as 'frozen'.
-/*  test(t => {
-    assert_throws(new TypeError(), _ => {
-      TrustedTypes.isHTML = () => true;
-    });
-
+  // Redefinition tests, assign to property.
+  // (Assignments will through in the polyfill (because the objects are frozen)
+  //  but will be silently dropped in the native implementation (because that's
+  //  what [Unforgeable] does. Hence, the tests use try {..} catch {} to cover
+  //  both situationsm rather than expect_throws(...).)
+  test(t => {
+    try { TrustedTypes.isHTML = () => 'fake'; } catch { }
    assert_false(TrustedTypes.isHTML({}));
  }, 'TrustedTypePolicyFactory.IsHTML cannot be redefined.');

  test(t => {
-    assert_throws(new TypeError(), _ => {
-      TrustedTypes.isScript = () => true;
-    });
-
+    try { TrustedTypes.isScript = () => 'fake'; } catch { }
    assert_false(TrustedTypes.isScript({}));
  }, 'TrustedTypePolicyFactory.isScript cannot be redefined.');

  test(t => {
-    assert_throws(new TypeError(), _ => {
-      TrustedTypes.isScriptURL = () => true;
-    });
-
+    try { TrustedTypes.isScriptURL = () => 'fake'; } catch { }
    assert_false(TrustedTypes.isScriptURL({}));
  }, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined.');

  test(t => {
-    assert_throws(new TypeError(), _ => {
-      TrustedTypes.isURL = () => true;
-    });
+    try { TrustedTypes.isURL = () => 'fake'; } catch { }
+    assert_false(TrustedTypes.isURL({}));
+  }, 'TrustedTypePolicyFactory.isURL cannot be redefined.');
+
+  // Redefinition tests, via Object.defineProperty.
+  test(t => {
+    try { Object.defineProperty(TrustedTypes, 'isHTML', () => 'fake'); } catch { }
+    assert_false(TrustedTypes.isHTML({}));
+  }, 'TrustedTypePolicyFactory.IsHTML cannot be redefined via defineProperty.');
+
+  test(t => {
+    try { Object.defineProperty(TrustedTypes, 'isScript', () => 'fake'); } catch { }
+    assert_false(TrustedTypes.isScript({}));
+  }, 'TrustedTypePolicyFactory.isScript cannot be redefined via definePropert.');
+
+  test(t => {
+    try { Object.defineProperty(TrustedTypes, 'isScriptURL', () => 'fake'); } catch { }
+    assert_false(TrustedTypes.isScriptURL({}));
+  }, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined via definePropert.');

+  test(t => {
+    try { Object.defineProperty(TrustedTypes, 'isURL', () => 'fake'); } catch { }
    assert_false(TrustedTypes.isURL({}));
-  }, 'TrustedTypePolicyFactory.isURL cannot be redefined.');*/
+  }, 'TrustedTypePolicyFactory.isURL cannot be redefined via definePropert.');
+
 </script>
--- a/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
+++ b/third_party/blink/web_tests/webexposed/global-interface-listing-expected.txt
@@ -7539,22 +7539,10 @@ interface TrustedScriptURL
    method toString
 interface TrustedTypePolicy
    attribute @@toStringTag
-    getter name
    method constructor
-    method createHTML
-    method createScript
-    method createScriptURL
-    method createURL
 interface TrustedTypePolicyFactory
    attribute @@toStringTag
    method constructor
-    method createPolicy
-    method getExposedPolicy
-    method getPolicyNames
-    method isHTML
-    method isScript
-    method isScriptURL
-    method isURL
 interface TrustedURL
    attribute @@toStringTag
    method constructor