Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite listeners in block-text-node-insertion-into*script-element.html #50824

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Rewrite listeners in block-text-node-insertion-into*script-element.html #50824

wants to merge 1 commit into from

Conversation

fred-wang
Copy link
Contributor

@fred-wang fred-wang commented Feb 20, 2025
edited
Loading 

These tests rely on checkSecurityPolicyViolationEvent() and
checkMessage() to register listeners for "securitypolicyviolation" and
"message" events but they are actually called after the DOM mutations
that triggering these events, so that makes the test less readable and
possibly flaky. Instead:

- We rely on existing async APIs from `support/csp-violations.js` to
  listen for the violation events. The finaly "trigger fail" only
  seems to be used to force a final message, so we remove it.

- We tweak checkMessage() so it accepts a function to execute after
  event registration, similarly to what `support/csp-violations.js`
  APIs do.

See https://github.com/w3c/trusted-types/issues/576

Note: some SVG tests are just copies of the HTML tests and look wrong since
the default policy expects to see "SVGScriptElement text" sinks. We rewrite
this a bit in follow-up PRs.

@wpt-pr-bot wpt-pr-bot requested a review from mikewest February 20, 2025 11:06
@fred-wang fred-wang marked this pull request as draft February 20, 2025 11:07
@fred-wang fred-wang force-pushed the checkSecurityPolicyViolationEvent branch from 96b7e8d to b9794a4 Compare February 21, 2025 08:56
@fred-wang
Rewrite listeners in block-text-node-insertion-into*script-element.html
45f51ef 
These tests rely on checkSecurityPolicyViolationEvent() and
checkMessage() to register listeners for "securitypolicyviolation" and
"message" events but they are actually called after the DOM mutations
that triggering these events, so that makes the test less readable and
possibly flaky. Instead:

- We rely on existing async APIs from `support/csp-violations.js` to
  listen for the violation events. The finaly "trigger fail" only
  seems to be used to force a final message, so we remove it.

- We tweak checkMessage() so it accepts a function to execute after
  event registration, similarly to what `support/csp-violations.js`
  APIs do.

See w3c/trusted-types#576

Note: some SVG tests are just copies of the HTML tests and look wrong since
the default policy expects to see "SVGScriptElement text" sinks. We rewrite
this a bit in follow-up PRs.
@fred-wang fred-wang force-pushed the checkSecurityPolicyViolationEvent branch from b9794a4 to 45f51ef Compare February 21, 2025 09:08
@fred-wang fred-wang marked this pull request as ready for review February 21, 2025 09:09
@fred-wang fred-wang requested a review from lukewarlow February 21, 2025 09:09
@fred-wang fred-wang mentioned this pull request Feb 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikewest mikewest Awaiting requested review from mikewest

@lukewarlow lukewarlow Awaiting requested review from lukewarlow

At least 1 approving review is required to merge this pull request.

Assignees

@mikewest mikewest

Labels
trusted-types wg-s_webappsec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fred-wang @mikewest @wpt-pr-bot