location.assign() and location.replace() changed to accept TrustedTypes

Previous versions of functions made private and named assignFromString and replaceFromString,respectively. assign wraps assignFromString. replace wraps replaceFromString. Bug: 739170 Change-Id: I3fd39a44fed1482f7e07524815297b9eec322b60 Reviewed-on: https://chromium-review.googlesource.com/1134987 Commit-Queue: Maja Kabus <kabusm@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#574907}

location.assign() and location.replace() changed to accept TrustedTypes
Previous versions of functions made private and named assignFromString and replaceFromString,respectively. assign wraps assignFromString. replace wraps replaceFromString. Bug: 739170 Change-Id: I3fd39a44fed1482f7e07524815297b9eec322b60 Reviewed-on: https://chromium-review.googlesource.com/1134987 Commit-Queue: Maja Kabus <kabusm@google.com> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#574907}
f759f5dd · Maja Kabus · Commit Bot · d1cd2917 · f759f5dd · f759f5dd
Commit f759f5dd authored Jul 13, 2018 by Maja Kabus Committed by Commit Bot Jul 13, 2018
7 changed files
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-location-assign.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-location-assign.tentative.html
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="./support/helper.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types">
+</head>
+<body>
+<script>
+  //TrustedURL assignments work
+  test(t => {
+    var url = TrustedURL.create(location.href + "#xxx");
+    location.assign(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, safe construction.");
+  test(t => {
+    var url = TrustedURL.unsafelyCreate(location.href + "#xxx");
+    location.assign(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, unsafe construction.");
+  // String assignments throw.
+  test(t => {
+    assert_throws(new TypeError(), _ => {
+      location.assign("A string");
+    });
+  }, "`location.assign = string` throws");
+  //Null assignment throws
+  test(t => {
+    assert_throws(new TypeError(), _ => {
+      location.assign(null);
+    });
+  }, "`location.assign = null` throws");
+</script>
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-location-replace.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/block-string-assignment-to-location-replace.tentative.html
+<!DOCTYPE html>
+<html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="./support/helper.js"></script>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types">
+</head>
+<body>
+<script>
+  //TrustedURL replacements work
+  test(t => {
+    var url = TrustedURL.create(location.href + "#xxx");
+    location.replace(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, safe construction.");
+  test(t => {
+    var url = TrustedURL.unsafelyCreate(location.href + "#xxx");
+    location.replace(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, unsafe construction.");
+  // String replacements throw.
+  test(t => {
+    assert_throws(new TypeError(), _ => {
+      location.replace("A string");
+    });
+  }, "`location.replace = string` throws");
+  //Null replacement throws
+  test(t => {
+    assert_throws(new TypeError(), _ => {
+      location.replace(null);
+    });
+  }, "`location.replace = null` throws");
+</script>
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/location-assign.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/location-assign.tentative.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.js"></script>
+<body>
+<script>
+  test(t => {
+    var url = TrustedURL.create(location.href + "#xxx");
+    location.assign(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, safe construction.");
+  test(t => {
+    var url = TrustedURL.unsafelyCreate(location.href + "#xxx");
+    location.assign(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, unsafe construction.");
+</script>
--- a/third_party/WebKit/LayoutTests/external/wpt/trusted-types/location-replace.tentative.html
+++ b/third_party/WebKit/LayoutTests/external/wpt/trusted-types/location-replace.tentative.html
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.js"></script>
+<body>
+<script>
+  test(t => {
+    var url = TrustedURL.create(location.href + "#xxx");
+    location.replace(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, safe construction.");
+  test(t => {
+    var url = TrustedURL.unsafelyCreate(location.href + "#xxx");
+    location.replace(url);
+    assert_equals("" + url, location.href, "location href");
+  }, "Basic processing: safe URL, unsafe construction.");
+</script>
--- a/third_party/blink/renderer/core/frame/location.cc
+++ b/third_party/blink/renderer/core/frame/location.cc
@@ -223,7 +223,7 @@ void Location::setHash(LocalDOMWindow* current_window,
 void Location::assign(LocalDOMWindow* current_window,
                      LocalDOMWindow* entered_window,
-                      const String& url,
+                      const USVStringOrTrustedURL& stringOrUrl,
                      ExceptionState& exception_state) {
  // TODO(yukishiino): Remove this check once we remove [CrossOrigin] from
  // the |assign| DOM operation's definition in Location.idl.  See the comment
@@ -233,13 +233,43 @@ void Location::assign(LocalDOMWindow* current_window,
    return;
  }
+  DCHECK(stringOrUrl.IsUSVString() ||
+         RuntimeEnabledFeatures::TrustedDOMTypesEnabled());
+  DCHECK(!stringOrUrl.IsNull());
+  if (stringOrUrl.IsUSVString() &&
+      current_window->document()->RequireTrustedTypes()) {
+    exception_state.ThrowTypeError(
+        "This document requires `TrustedURL` assignment.");
+    return;
+  }
+  String url = stringOrUrl.IsUSVString()
+                   ? stringOrUrl.GetAsUSVString()
+                   : stringOrUrl.GetAsTrustedURL()->toString();
  SetLocation(url, current_window, entered_window, &exception_state);
 }
 void Location::replace(LocalDOMWindow* current_window,
                       LocalDOMWindow* entered_window,
-                       const String& url,
+                       const USVStringOrTrustedURL& stringOrUrl,
                       ExceptionState& exception_state) {
+  DCHECK(stringOrUrl.IsUSVString() ||
+         RuntimeEnabledFeatures::TrustedDOMTypesEnabled());
+  DCHECK(!stringOrUrl.IsNull());
+  if (stringOrUrl.IsUSVString() &&
+      current_window->document()->RequireTrustedTypes()) {
+    exception_state.ThrowTypeError(
+        "This document requires `TrustedURL` assignment.");
+    return;
+  }
+  String url = stringOrUrl.IsUSVString()
+                   ? stringOrUrl.GetAsUSVString()
+                   : stringOrUrl.GetAsTrustedURL()->toString();
  SetLocation(url, current_window, entered_window, &exception_state,
              SetLocationPolicy::kReplaceThisFrame);
 }

--- a/third_party/blink/renderer/core/frame/location.h
+++ b/third_party/blink/renderer/core/frame/location.h
@@ -67,11 +67,11 @@ class CORE_EXPORT Location final : public ScriptWrappable {
  void assign(LocalDOMWindow* current_window,
              LocalDOMWindow* entered_window,
-              const String&,
+              const USVStringOrTrustedURL&,
              ExceptionState&);
  void replace(LocalDOMWindow* current_window,
               LocalDOMWindow* entered_window,
-               const String&,
+               const USVStringOrTrustedURL&,
               ExceptionState&);
  void reload(LocalDOMWindow* current_window);

--- a/third_party/blink/renderer/core/frame/location.idl
+++ b/third_party/blink/renderer/core/frame/location.idl
@@ -41,7 +41,7 @@
    // |assign| itself is not cross-origin accessible.
    // TODO(yukishiino): Remove [CrossOrigin] once we support the Incumbent
    // realm correctly.
-    [CallWith=(CurrentWindow,EnteredWindow), CrossOrigin, RaisesException] void assign(USVString url);
+    [CallWith=(CurrentWindow,EnteredWindow), CrossOrigin, RaisesException] void assign(URLString url);
    // |replace|, and *writing* |href| do not require a security check, as they
    // *change* the page, and thus these do not change any property of an
@@ -49,7 +49,7 @@
    // However, *reading* |href|, or accessing any component, is a security
    // problem, since that allows tracking navigation.
    // https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-)
-    [CallWith=(CurrentWindow,EnteredWindow), CrossOrigin, RaisesException] void replace(USVString url);
+    [CallWith=(CurrentWindow,EnteredWindow), CrossOrigin, RaisesException] void replace(URLString url);
    [CallWith=CurrentWindow] void reload();
    // TODO(foolip): |ancestorOrigins| should have [Unforgeable, SameObject].