LibWeb: Add a bunch of WPT tests for TrustedTypes

We now successfully pass these

Author: tete17

Tests/LibWeb/Text/expected/wpt-import/trusted-types/DOMParser-parseFromString-regression.txt

@@ -0,0 +1,6 @@
+Harness status: OK
+
+Found 1 tests
+
+1 Pass
+Pass	Regression test for TT changes to parseFromString.

Tests/LibWeb/Text/expected/wpt-import/trusted-types/Document-write-appending-line-feed.txt

@@ -0,0 +1,11 @@
+Harness status: OK
+
+Found 6 tests
+
+6 Pass
+Pass	document.write() with TrustedHTML arguments only.
+Pass	document.write() with String arguments only.
+Pass	document.write() with TrustedHTML for all but one argument.
+Pass	document.writeln() with TrustedHTML arguments only.
+Pass	document.writeln() with String arguments only.
+Pass	document.writeln() with TrustedHTML for all but one argument.

Tests/LibWeb/Text/expected/wpt-import/trusted-types/block-Document-execCommand.txt

@@ -0,0 +1,12 @@
+Harness status: OK
+
+Found 6 tests
+
+5 Pass
+1 Fail
+Fail	Document.execCommand("insertHTML") throws.
+Pass	Document.execCommand("insertHTML") works with a TrustedHTML argument.
+Pass	Document.execCommand("paste") works as usual."
+Pass	Document.execCommand("paste") works with a TrustedHTML argument.
+Pass	Document.execCommand("insertHTML") works as usual with a default policy.
+Pass	Document.execCommand("paste") works as usual with a default policy.

Tests/LibWeb/Text/expected/wpt-import/trusted-types/block-string-assignment-to-HTMLIFrameElement-srcdoc.txt

@@ -0,0 +1,11 @@
+Harness status: OK
+
+Found 5 tests
+
+2 Pass
+3 Fail
+Pass	iframe.srcdoc assigned via policy (successful HTML transformation).
+Fail	`iframe.srcdoc = string` throws.
+Fail	`iframe.srcdoc = null` throws.
+Fail	`iframe.srcdoc = string` assigned via default policy (successful HTML transformation).
+Pass	`iframe.srcdoc = null` assigned via default policy does not throw

Tests/LibWeb/Text/expected/wpt-import/trusted-types/trusted-types-event-handlers.txt

@@ -0,0 +1,109 @@
+Harness status: OK
+
+Found 104 tests
+
+104 Pass
+Pass	Event handler onclick should be blocked.
+Pass	Event handler onchange should be blocked.
+Pass	Event handler onfocus should be blocked.
+Pass	Event handler oNclick should be blocked.
+Pass	Event handler OnClIcK should be blocked.
+Pass	Non-event handler one should not be blocked.
+Pass	Non-event handler oNe should not be blocked.
+Pass	Non-event handler onIcon should not be blocked.
+Pass	Non-event handler offIcon should not be blocked.
+Pass	Non-event handler blubb should not be blocked.
+Pass	Non-event handler div.align should not be blocked.
+Pass	Non-event handler div.title should not be blocked.
+Pass	Non-event handler div.inert should not be blocked.
+Pass	Non-event handler div.draggable should not be blocked.
+Pass	Event handler div.onabort should be blocked.
+Pass	Event handler div.onauxclick should be blocked.
+Pass	Event handler div.onbeforeinput should be blocked.
+Pass	Event handler div.onbeforematch should be blocked.
+Pass	Event handler div.onbeforetoggle should be blocked.
+Pass	Event handler div.onblur should be blocked.
+Pass	Event handler div.oncancel should be blocked.
+Pass	Event handler div.oncanplay should be blocked.
+Pass	Event handler div.oncanplaythrough should be blocked.
+Pass	Event handler div.onchange should be blocked.
+Pass	Event handler div.onclick should be blocked.
+Pass	Event handler div.onclose should be blocked.
+Pass	Event handler div.oncommand should be blocked.
+Pass	Event handler div.oncontextlost should be blocked.
+Pass	Event handler div.oncontextmenu should be blocked.
+Pass	Event handler div.oncontextrestored should be blocked.
+Pass	Event handler div.oncopy should be blocked.
+Pass	Event handler div.oncuechange should be blocked.
+Pass	Event handler div.oncut should be blocked.
+Pass	Event handler div.ondblclick should be blocked.
+Pass	Event handler div.ondrag should be blocked.
+Pass	Event handler div.ondragend should be blocked.
+Pass	Event handler div.ondragenter should be blocked.
+Pass	Event handler div.ondragleave should be blocked.
+Pass	Event handler div.ondragover should be blocked.
+Pass	Event handler div.ondragstart should be blocked.
+Pass	Event handler div.ondrop should be blocked.
+Pass	Event handler div.ondurationchange should be blocked.
+Pass	Event handler div.onemptied should be blocked.
+Pass	Event handler div.onended should be blocked.
+Pass	Event handler div.onerror should be blocked.
+Pass	Event handler div.onfocus should be blocked.
+Pass	Event handler div.onfocusin should be blocked.
+Pass	Event handler div.onfocusout should be blocked.
+Pass	Event handler div.onformdata should be blocked.
+Pass	Event handler div.oninput should be blocked.
+Pass	Event handler div.oninvalid should be blocked.
+Pass	Event handler div.onkeydown should be blocked.
+Pass	Event handler div.onkeypress should be blocked.
+Pass	Event handler div.onkeyup should be blocked.
+Pass	Event handler div.onload should be blocked.
+Pass	Event handler div.onloadeddata should be blocked.
+Pass	Event handler div.onloadedmetadata should be blocked.
+Pass	Event handler div.onloadstart should be blocked.
+Pass	Event handler div.onmousedown should be blocked.
+Pass	Event handler div.onmouseenter should be blocked.
+Pass	Event handler div.onmouseleave should be blocked.
+Pass	Event handler div.onmousemove should be blocked.
+Pass	Event handler div.onmouseout should be blocked.
+Pass	Event handler div.onmouseover should be blocked.
+Pass	Event handler div.onmouseup should be blocked.
+Pass	Event handler div.onpaste should be blocked.
+Pass	Event handler div.onpause should be blocked.
+Pass	Event handler div.onplay should be blocked.
+Pass	Event handler div.onplaying should be blocked.
+Pass	Event handler div.onprogress should be blocked.
+Pass	Event handler div.onratechange should be blocked.
+Pass	Event handler div.onreset should be blocked.
+Pass	Event handler div.onresize should be blocked.
+Pass	Event handler div.onscroll should be blocked.
+Pass	Event handler div.onscrollend should be blocked.
+Pass	Event handler div.onsecuritypolicyviolation should be blocked.
+Pass	Event handler div.onseeked should be blocked.
+Pass	Event handler div.onseeking should be blocked.
+Pass	Event handler div.onselect should be blocked.
+Pass	Event handler div.onselectionchange should be blocked.
+Pass	Event handler div.onslotchange should be blocked.
+Pass	Event handler div.onstalled should be blocked.
+Pass	Event handler div.onsubmit should be blocked.
+Pass	Event handler div.onsuspend should be blocked.
+Pass	Event handler div.ontimeupdate should be blocked.
+Pass	Event handler div.ontoggle should be blocked.
+Pass	Event handler div.onvolumechange should be blocked.
+Pass	Event handler div.onwaiting should be blocked.
+Pass	Event handler div.onwebkitanimationend should be blocked.
+Pass	Event handler div.onwebkitanimationiteration should be blocked.
+Pass	Event handler div.onwebkitanimationstart should be blocked.
+Pass	Event handler div.onwebkittransitionend should be blocked.
+Pass	Event handler div.onwheel should be blocked.
+Pass	Event handler div.onpointerover should be blocked.
+Pass	Event handler div.onpointerenter should be blocked.
+Pass	Event handler div.onpointerdown should be blocked.
+Pass	Event handler div.onpointermove should be blocked.
+Pass	Event handler div.onpointerrawupdate should be blocked.
+Pass	Event handler div.onpointerup should be blocked.
+Pass	Event handler div.onpointercancel should be blocked.
+Pass	Event handler div.onpointerout should be blocked.
+Pass	Event handler div.onpointerleave should be blocked.
+Pass	Event handler div.ongotpointercapture should be blocked.
+Pass	Event handler div.onlostpointercapture should be blocked.

Tests/LibWeb/Text/expected/wpt-import/trusted-types/trusted-types-reporting-for-Element-innerHTML.txt

@@ -0,0 +1,7 @@
+Harness status: OK
+
+Found 2 tests
+
+2 Pass
+Pass	No violation reported for TrustedHTML.
+Pass	Violation report for plain string.

Tests/LibWeb/Text/input/wpt-import/trusted-types/DOMParser-parseFromString-regression.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="blabla">
+<body>
+<div id="target"></div>
+<div id="probe"></div>
+<script>
+test(t => {
+  // Regression test for crbug.com/1030830. (Should work in any browser, though.)
+  //
+  // The top-level doc has a CSP that doesn't do anything interesting. We'll
+  // parse a doc and create an iframe with an embedded CSP, and will ensure that
+  // the CSP applies to the frame, but not the top-level doc.
+  const target = document.getElementById("target");
+  const probe = document.getElementById("probe");
+  probe.innerHTML = "probe";
+
+  const doc = new DOMParser().parseFromString(`
+    <body><div id="probe"></div></body>"`, "text/html");
+  probe.innerHTML = "probe";
+
+  const frame = document.createElement("iframe");
+  frame.src = `data:text/html;${encodeURI(doc.documentElement.outerHTML)}`;
+  frame.id = "frame";
+  target.appendChild(frame);
+  const frame_probe = document.getElementById("frame").contentDocument.getElementById("probe");
+  probe.innerHTML = "probe";
+  assert_throws_js(TypeError, _ => { frame_probe.innnerHTML = "probe" });
+}, "Regression test for TT changes to parseFromString.");
+</script>
+</body>

Tests/LibWeb/Text/input/wpt-import/trusted-types/Document-write-appending-line-feed.html

@@ -0,0 +1,76 @@
+<!DOCTYPE html>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<link rel="help" href="https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#document-write-steps">
+<meta name="assert" content="U+000A LINE FEED is only appended for document.writeln() and only after the arguments are concatenated and sanitized.">
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
+<body>
+<script>
+  trustedTypes.createPolicy('default', { createHTML: x => `[${x}]` });
+  const customPolicy =
+    trustedTypes.createPolicy('custom', { createHTML: x => `(${x})` });
+  const cleanupPolicy =
+    trustedTypes.createPolicy('cleanup', { createHTML: x => x });
+  const doc = (new DOMParser()).parseFromString(`<body></body>`, "text/html");
+  function cleanup() { doc.body.innerHTML = cleanupPolicy.createHTML(""); }
+
+  test(t => {
+    t.add_cleanup(cleanup);
+    let a = customPolicy.createHTML("1");
+    let b = customPolicy.createHTML("2");
+    let c = customPolicy.createHTML("3");
+    let d = customPolicy.createHTML("4");
+    doc.write(a, b, c, d);
+    assert_equals(doc.body.innerHTML, "(1)(2)(3)(4)");
+  }, "document.write() with TrustedHTML arguments only.");
+
+  test(t => {
+    t.add_cleanup(cleanup);
+    let a = "1"
+    let b = "2"
+    let c = "3";
+    let d = "4"
+    doc.write(a, b, c, d);
+    assert_equals(doc.body.innerHTML, "[1234]");
+  }, "document.write() with String arguments only.");
+
+  test(t => {
+    t.add_cleanup(cleanup);
+    let a = customPolicy.createHTML("1");
+    let b = customPolicy.createHTML("2");
+    let c = "3";
+    let d = customPolicy.createHTML("4");
+    doc.write(a, b, c, d);
+    assert_equals(doc.body.innerHTML, "[(1)(2)3(4)]");
+  }, "document.write() with TrustedHTML for all but one argument.");
+
+  test(t => {
+    t.add_cleanup(cleanup);
+    let a = customPolicy.createHTML("1");
+    let b = customPolicy.createHTML("2");
+    let c = customPolicy.createHTML("3");
+    let d = customPolicy.createHTML("4");
+    doc.writeln(a, b, c, d);
+    assert_equals(doc.body.innerHTML, "(1)(2)(3)(4)\n");
+  }, "document.writeln() with TrustedHTML arguments only.");
+
+  test(t => {
+    t.add_cleanup(cleanup);
+    let a = "1"
+    let b = "2"
+    let c = "3";
+    let d = "4"
+    doc.writeln(a, b, c, d);
+    assert_equals(doc.body.innerHTML, "[1234]\n");
+  }, "document.writeln() with String arguments only.");
+
+  test(t => {
+    t.add_cleanup(cleanup);
+    let a = customPolicy.createHTML("1");
+    let b = customPolicy.createHTML("2");
+    let c = "3";
+    let d = customPolicy.createHTML("4");
+    doc.writeln(a, b, c, d);
+    assert_equals(doc.body.innerHTML, "[(1)(2)3(4)]\n");
+  }, "document.writeln() with TrustedHTML for all but one argument.");
+</script>

Tests/LibWeb/Text/input/wpt-import/trusted-types/block-Document-execCommand.html

@@ -0,0 +1,48 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+<link rel="author" title="Daniel Vogelheim" href="mailto:[email protected]"></link>
+<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/"></link>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<body>
+<script>
+  // Tests that certain execCommand commands will observe Trusted Types if
+  // it's enforced.
+  const commands = [ "insertHTML", "paste" ];
+  const tt_commands = [ "insertHTML" ];
+
+  // A pass-through policy for testing.
+  const a_policy = trustedTypes.createPolicy("a policy", {"createHTML": x => x});
+
+  for (const command of commands) {
+    const requires_tt = tt_commands.includes(command);
+
+    // Test that execCommand with String throws, but only for commands that
+    // require TT.
+    if (requires_tt) {
+      test(t => {
+        assert_throws_js(TypeError, _ => document.execCommand(command, false, "<em>Hello World</em>"));
+      }, `Document.execCommand("${command}") throws.`);
+    } else {
+      test(t => {
+        document.execCommand(command, false, "<em>Hello World</em>");
+      }, `Document.execCommand("${command}") works as usual."`);
+    }
+    // Test that execCommand succeeds with a TrustedHTML argument.
+    test(t => {
+      document.execCommand(command, false, a_policy.createHTML("<em>Hello World</em>"));
+    }, `Document.execCommand("${command}") works with a TrustedHTML argument.`);
+  }
+
+  // Test that with a default policy, all comamnds will work again.
+  trustedTypes.createPolicy("default", {"createHTML": (x, _, sink) => {
+    assert_equals(sink, 'Document execCommand');
+    return x;
+  }});
+
+  for (const command of commands) {
+    test(t => {
+      document.execCommand(command, false, "<em>Hello World</em>");
+    }, `Document.execCommand("${command}") works as usual with a default policy.`);
+  }
+</script>

Tests/LibWeb/Text/input/wpt-import/trusted-types/block-string-assignment-to-HTMLIFrameElement-srcdoc.html

@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
+<body>
+<script>
+  // TrustedHTML assignments do not throw.
+  test(t => {
+    let p = createHTML_policy(window, 1);
+    let html = p.createHTML(INPUTS.HTML);
+    let iframe = document.createElement("iframe");
+    iframe.srcdoc = html;
+    assert_equals(iframe.srcdoc, RESULTS.HTML);
+  }, "iframe.srcdoc assigned via policy (successful HTML transformation).");
+
+  // String assignments throw.
+  test(t => {
+    let iframe = document.createElement("iframe");
+    assert_throws_js(TypeError, _ => {
+      iframe.srcdoc = "A string";
+    });
+  }, "`iframe.srcdoc = string` throws.");
+
+  // Null assignment throws.
+  test(t => {
+    let iframe = document.createElement("iframe");
+    assert_throws_js(TypeError, _ => {
+      iframe.srcdoc = null;
+    });
+  }, "`iframe.srcdoc = null` throws.");
+
+  // After default policy creation string assignment implicitly calls createHTML
+  test(t => {
+    let p = window.trustedTypes.createPolicy("default", { createHTML:
+      (value, _, sink) => {
+        assert_equals(sink, "HTMLIFrameElement srcdoc");
+        return createHTMLJS(value);
+      }
+    });
+
+    let iframe = document.createElement("iframe");
+    iframe.srcdoc = INPUTS.HTML;
+    assert_equals(iframe.srcdoc, RESULTS.HTML);
+  }, "`iframe.srcdoc = string` assigned via default policy (successful HTML transformation).");
+
+  // After default policy creation null assignment implicitly calls createHTML.
+  test(t => {
+    let iframe = document.createElement("iframe");
+    iframe.srcdoc = null;
+    assert_equals(iframe.srcdoc, "null");
+  }, "`iframe.srcdoc = null` assigned via default policy does not throw");
+</script>