From 424f6084d7225491722e721561faafa028c3ee41 Mon Sep 17 00:00:00 2001 From: Luke Warlow Date: Tue, 7 May 2024 13:01:28 +0100 Subject: [PATCH] Update Trusted Types enforcement for document.write/writeln This changes from using HTMLString to a TrustedHTML or DOMString union. This also changes the timing of the default policy call. --- source | 108 ++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 99 insertions(+), 9 deletions(-) diff --git a/source b/source index 5e24758a826..fd07cd26dc9 100644 --- a/source +++ b/source @@ -4608,7 +4608,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute +
  • TrustedHTML
    • +
  • data
    • +
  • Get Trusted Type compliant string
    • + @@ -10694,8 +10697,8 @@ partial interface Document { [CEReactions] Document open(optional DOMString unused1, optional DOMString unused2); // both arguments are ignored WindowProxy? open(USVString url, DOMString name, DOMString features); [CEReactions] undefined close(); - [CEReactions] undefined write(HTMLString... text); - [CEReactions] undefined writeln(HTMLString... text); + [CEReactions] undefined write((TrustedHTML or DOMString)... text); + [CEReactions] undefined writeln((TrustedHTML or DOMString)... text); // user interaction readonly attribute WindowProxy? defaultView; @@ -112309,9 +112312,51 @@ document.body.appendChild(frame)

    The document.write(...) method steps are to run the - document write steps with this and a string that is the concatenation - of all arguments passed.

    + data-x="dom-document-write">document.write(...text) method steps are:

    + +
      +

    1. Let string be the empty string.

      2. + +

    2. Let isTrusted be true.

      3. + +
    3. +

      For each value in text:

      +
        +
      1. +

        If value is a TrustedHTML object:

        + +
          +

        1. Append value's associated data + to string.

          2. +
        +
        2. + +
      2. +

        Otherwise: + +

          +

        1. Set isTrusted to false.

          2. + +

        2. Append value to string.

          3. +
        +
        3. +
      +
      4. + +
    4. +

      If isTrusted is false:

      + +
        +

      1. Set string to the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global + object, string, and "Document write".

        2. +
      +
      5. + +

    5. Run the document write steps with this and + string.

      6. +
    @@ -112340,9 +112385,54 @@ document.body.appendChild(frame)

    The document.writeln(...) method steps are to run the - document write steps with this and a string that is the concatenation - of all arguments passed and U+000A LINE FEED.

    + data-x="dom-document-writeln">document.writeln(...text) method steps + are:

    + +
      +

    1. Let string be the empty string.

      2. + +

    2. Let isTrusted be true.

      3. + +
    3. +

      For each value in text:

      +
        +
      1. +

        If value is a TrustedHTML object:

        + +
          +

        1. Append value's associated data + to string.

          2. +
        +
        2. + +
      2. +

        Otherwise: + +

          +

        1. Set isTrusted to false.

          2. + +

        2. Append value to string.

          3. +
        +
        3. +
      +
      4. + +
    4. +

      If isTrusted is false:

      + +
        +

      1. Set string to the result of invoking the Get Trusted Type compliant string algorithm with TrustedHTML, this's relevant global + object, string, and "Document writeln".

        2. +
      +
      5. + +

    5. Append U+000A LINE FEED to string

      6. + +

    6. Run the document write steps with this and + string.

      7. +