Add TT reporting tests for Worker eval and new Function() (#51425)

Author: lukewarlow

trusted-types/support/trusted-types-reporting-for-eval-worker.js

@@ -0,0 +1,11 @@
+const testSetupPolicy = trustedTypes.createPolicy("p", { createScriptURL: s => s });
+
+importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
+importScripts(testSetupPolicy.createScriptURL("helper.sub.js"));
+importScripts(testSetupPolicy.createScriptURL("csp-violations.js"));
+
+importScripts(testSetupPolicy.createScriptURL(
+  "trusted-types-reporting-for-eval.js"
+));
+
+done();

trusted-types/support/trusted-types-reporting-for-eval-worker.js.headers

@@ -0,0 +1,2 @@
+Content-Security-Policy: require-trusted-types-for 'script';
+Content-Security-Policy: connect-src 'none'

trusted-types/support/trusted-types-reporting-for-eval.js

@@ -0,0 +1,21 @@
+const policy = trustedTypes.createPolicy("dummy", { createScript: x => x });
+
+promise_test(async t => {
+  let beacon = 'never_overwritten2';
+  await no_trusted_type_violation_for(_ =>
+    eval(policy.createScript('beacon="i ran"'))
+  );
+  assert_equals(beacon, 'i ran');
+}, "No violation reported for eval with TrustedScript.");
+
+promise_test(async t => {
+  const input = 'beacon="should not run"';
+  let beacon = 'never_overwritten';
+  let violation = await trusted_type_violation_for(EvalError, _ =>
+    eval(input)
+  );
+  assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
+  assert_equals(violation.blockedURI, "trusted-types-sink");
+  assert_equals(violation.sample, `eval|${clipSampleIfNeeded(input)}`);
+  assert_equals(beacon, 'never_overwritten');
+}, "Violation report for eval with plain string.");

trusted-types/support/trusted-types-reporting-for-function-constructor-worker.js

@@ -0,0 +1,11 @@
+const testSetupPolicy = trustedTypes.createPolicy("p", { createScriptURL: s => s });
+
+importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
+importScripts(testSetupPolicy.createScriptURL("helper.sub.js"));
+importScripts(testSetupPolicy.createScriptURL("csp-violations.js"));
+
+importScripts(testSetupPolicy.createScriptURL(
+  "trusted-types-reporting-for-function-constructor.js"
+));
+
+done();

trusted-types/support/trusted-types-reporting-for-function-constructor-worker.js.headers

@@ -0,0 +1,2 @@
+Content-Security-Policy: require-trusted-types-for 'script';
+Content-Security-Policy: connect-src 'none'

trusted-types/support/trusted-types-reporting-for-function-constructor.js

@@ -0,0 +1,29 @@
+const policy = trustedTypes.createPolicy("dummy", { createScript: x => x });
+
+const AsyncFunction = async function() {}.constructor;
+const GeneratorFunction = function*() {}.constructor;
+const AsyncGeneratorFunction = async function*() {}.constructor;
+
+const input = `return${';'.repeat(100)}`;
+[Function, AsyncFunction, GeneratorFunction, AsyncGeneratorFunction].forEach(functionConstructor => {
+  promise_test(async t => {
+    await no_trusted_type_violation_for(_ =>
+      new functionConstructor(policy.createScript(input))
+    );
+  }, `No violation reported for ${functionConstructor.name} with TrustedScript.`);
+
+  promise_test(async t => {
+    await no_trusted_type_violation_for(_ =>
+      new functionConstructor(policy.createScript('a'), policy.createScript(input))
+    );
+  }, `No violation reported for ${functionConstructor.name} with multiple TrustedScript args.`);
+
+  promise_test(async t => {
+    let violation = await trusted_type_violation_for(EvalError, _ =>
+      new functionConstructor(input)
+    );
+    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
+    assert_equals(violation.blockedURI, "trusted-types-sink");
+    assert_equals(violation.sample, `Function|${clipSampleIfNeeded(`(\n) {\n${input}\n}`)}`);
+  }, `Violation report for ${functionConstructor.name} with plain string.`);
+});

trusted-types/trusted-types-eval-reporting.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  fetch_tests_from_worker(new Worker(
+    "support/trusted-types-reporting-for-eval-worker.js"
+  ));
+</script>

trusted-types/trusted-types-eval-reporting.html.headers

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  fetch_tests_from_worker(new Worker(
+    "support/trusted-types-reporting-for-function-constructor-worker.js"
+  ));
+</script>

trusted-types/trusted-types-reporting-for-DedicatedWorker-eval.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  // Cargo-culted from code generated from "META: worker".
+  (async function() {
+    const scope = 'support/some/scope/for/this/test';
+    let reg = await navigator.serviceWorker.getRegistration(scope);
+    if (reg) await reg.unregister();
+    reg = await navigator.serviceWorker.register(
+      "support/trusted-types-reporting-for-eval-worker.js", {scope});
+    fetch_tests_from_worker(reg.installing);
+  })();
+</script>

trusted-types/trusted-types-reporting-for-DedicatedWorker-function-constructor.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  // Cargo-culted from code generated from "META: worker".
+  (async function() {
+    const scope = 'support/some/scope/for/this/test';
+    let reg = await navigator.serviceWorker.getRegistration(scope);
+    if (reg) await reg.unregister();
+    reg = await navigator.serviceWorker.register(
+      "support/trusted-types-reporting-for-function-constructor-worker.js", {scope});
+    fetch_tests_from_worker(reg.installing);
+  })();
+</script>

trusted-types/trusted-types-reporting-for-ServiceWorker-eval.https.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  fetch_tests_from_worker(new SharedWorker(
+    "support/trusted-types-reporting-for-eval-worker.js"
+  ));
+</script>

trusted-types/trusted-types-reporting-for-ServiceWorker-function-constructor.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+  fetch_tests_from_worker(new SharedWorker(
+    "support/trusted-types-reporting-for-function-constructor-worker.js"
+  ));
+</script>

trusted-types/trusted-types-reporting-for-SharedWorker-eval.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+<script src="support/csp-violations.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+<script src="support/trusted-types-reporting-for-eval.js">
+</script>

trusted-types/trusted-types-reporting-for-SharedWorker-function-constructor.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="support/helper.sub.js"></script>
+<script src="support/csp-violations.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'; connect-src 'none';">
+<body>
+<script src="support/trusted-types-reporting-for-function-constructor.js">
+</script>