[Trusted Types] Implement require-trusted-types-for
This CL separates 'require-trusted-types-for' from 'trusted-typs'
Content Security Policy directive, which currently has only one injection
sink 'script'.
https://w3c.github.io/webappsec-trusted-types/dist/spec/#require-trusted-types-for-csp-directive
Bug: 1030257
Change-Id: I1c241c5b6be318aa195323178cf974df138d5788
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1993351
Commit-Queue: Yifan Luo <lyf@google.com>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#732848}
diff --git a/trusted-types/GlobalEventHandlers-onclick.tentative.html b/trusted-types/GlobalEventHandlers-onclick.tentative.html
index 8c9c2f1..6cbf680 100644
--- a/trusted-types/GlobalEventHandlers-onclick.tentative.html
+++ b/trusted-types/GlobalEventHandlers-onclick.tentative.html
@@ -3,7 +3,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script'">
<body>
<div id="container"></div>
<script>
diff --git a/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html b/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
index da7d1b4..67c734b 100644
--- a/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
+++ b/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
@@ -4,7 +4,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
<body>
<div id="target"></div>
<script>
diff --git a/trusted-types/WorkerGlobalScope-importScripts.https.html b/trusted-types/WorkerGlobalScope-importScripts.https.html
index 9dbfd7b..0aa965e 100644
--- a/trusted-types/WorkerGlobalScope-importScripts.https.html
+++ b/trusted-types/WorkerGlobalScope-importScripts.https.html
@@ -1,7 +1,7 @@
<!doctype html>
<html>
<head>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
diff --git a/trusted-types/block-Node-multiple-arguments.tentative.html b/trusted-types/block-Node-multiple-arguments.tentative.html
index 5552e13..879d34f 100644
--- a/trusted-types/block-Node-multiple-arguments.tentative.html
+++ b/trusted-types/block-Node-multiple-arguments.tentative.html
@@ -4,7 +4,7 @@
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<div id="container"></div>
diff --git a/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html b/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html
index 82e3120..12cef6a 100644
--- a/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html
+++ b/trusted-types/block-string-assignment-to-DOMParser-parseFromString.tentative.html
@@ -3,7 +3,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
<body>
<script>
// Trusted HTML assignments do not throw.
diff --git a/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html b/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
index 468ed7b..6d723ba 100644
--- a/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
+++ b/trusted-types/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.tentative.html
@@ -3,7 +3,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
<body>
<script>
// setTimeout tests
diff --git a/trusted-types/block-string-assignment-to-Document-write.tentative.html b/trusted-types/block-string-assignment-to-Document-write.tentative.html
index 4defb56..1049b46 100644
--- a/trusted-types/block-string-assignment-to-Document-write.tentative.html
+++ b/trusted-types/block-string-assignment-to-Document-write.tentative.html
@@ -5,7 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<script>
diff --git a/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html b/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html
index 37a73f0..1e8c091 100644
--- a/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html
+++ b/trusted-types/block-string-assignment-to-Element-insertAdjacentHTML.tentative.html
@@ -5,7 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<div id="container"></div>
diff --git a/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html b/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html
index 8f314a2..17815e6 100644
--- a/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html
+++ b/trusted-types/block-string-assignment-to-Element-outerHTML.tentative.html
@@ -5,7 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<div id="container"></div>
diff --git a/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html b/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
index 2639e16..47c4c35 100644
--- a/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
+++ b/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
@@ -5,7 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<script>
diff --git a/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html b/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
index 5754521..cc8b05e 100644
--- a/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
+++ b/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
@@ -5,7 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<script>
diff --git a/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html b/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
index 84ff83b..b574519 100644
--- a/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
+++ b/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
@@ -5,7 +5,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<script>
diff --git a/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html b/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html
index 61553eb..a573762 100644
--- a/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html
+++ b/trusted-types/block-string-assignment-to-Range-createContextualFragment.tentative.html
@@ -3,7 +3,7 @@
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
-<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+<meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
<body>
<script>
// TrustedHTML assignments do not throw.
diff --git a/trusted-types/block-text-node-insertion-into-script-element.tentative.html b/trusted-types/block-text-node-insertion-into-script-element.tentative.html
index 04b19f7..1f5e8fd 100644
--- a/trusted-types/block-text-node-insertion-into-script-element.tentative.html
+++ b/trusted-types/block-text-node-insertion-into-script-element.tentative.html
@@ -3,7 +3,7 @@
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<div id="container"></div>
diff --git a/trusted-types/default-policy-report-only.tentative.html.headers b/trusted-types/default-policy-report-only.tentative.html.headers
index fa87952..67b9ef7 100644
--- a/trusted-types/default-policy-report-only.tentative.html.headers
+++ b/trusted-types/default-policy-report-only.tentative.html.headers
@@ -1 +1 @@
-Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy-Report-Only: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/default-policy.tentative.html.headers b/trusted-types/default-policy.tentative.html.headers
index 1bc33ad..6a40e40 100644
--- a/trusted-types/default-policy.tentative.html.headers
+++ b/trusted-types/default-policy.tentative.html.headers
@@ -1 +1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/empty-default-policy-report-only.tentative.html.headers b/trusted-types/empty-default-policy-report-only.tentative.html.headers
index fa87952..67b9ef7 100644
--- a/trusted-types/empty-default-policy-report-only.tentative.html.headers
+++ b/trusted-types/empty-default-policy-report-only.tentative.html.headers
@@ -1 +1 @@
-Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy-Report-Only: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/empty-default-policy.tentative.html.headers b/trusted-types/empty-default-policy.tentative.html.headers
index 1bc33ad..6a40e40 100644
--- a/trusted-types/empty-default-policy.tentative.html.headers
+++ b/trusted-types/empty-default-policy.tentative.html.headers
@@ -1 +1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/eval-csp-tt-default-policy.tentative.html b/trusted-types/eval-csp-tt-default-policy.tentative.html
index 8f1926d..eaa74ea 100644
--- a/trusted-types/eval-csp-tt-default-policy.tentative.html
+++ b/trusted-types/eval-csp-tt-default-policy.tentative.html
@@ -16,7 +16,7 @@
}, "eval of TrustedScript works.");
test(t => {
- assert_equals(eval('1+1'), 15);
+ assert_equals(eval('1+1'), 2);
}, "eval of string works.");
test(t => {
diff --git a/trusted-types/eval-csp-tt-no-default-policy.tentative.html b/trusted-types/eval-csp-tt-no-default-policy.tentative.html
index dc976d6..0da09a8 100644
--- a/trusted-types/eval-csp-tt-no-default-policy.tentative.html
+++ b/trusted-types/eval-csp-tt-no-default-policy.tentative.html
@@ -4,7 +4,7 @@
<script nonce="abc" src="/resources/testharness.js"></script>
<script nonce="abc" src="/resources/testharnessreport.js"></script>
<script nonce="abc" src="support/helper.sub.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script';">
</head>
<body>
<script>
diff --git a/trusted-types/eval-with-permissive-csp.tentative.html b/trusted-types/eval-with-permissive-csp.tentative.html
index 074fe79..32f12d8 100644
--- a/trusted-types/eval-with-permissive-csp.tentative.html
+++ b/trusted-types/eval-with-permissive-csp.tentative.html
@@ -7,7 +7,7 @@
<!-- Note: Trusted Types enforcement, and a CSP that allows all eval. -->
<meta http-equiv="Content-Security-Policy"
- content="script-src 'nonce-abc' 'unsafe-eval'; trusted-types *">
+ content="script-src 'nonce-abc' 'unsafe-eval'; trusted-types *; require-trusted-types-for 'script'">
</head>
<body>
<script nonce="abc">
diff --git a/trusted-types/no-require-trusted-types-for-report-only.tentative.html b/trusted-types/no-require-trusted-types-for-report-only.tentative.html
new file mode 100644
index 0000000..56f6295
--- /dev/null
+++ b/trusted-types/no-require-trusted-types-for-report-only.tentative.html
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+ const testCases = [
+ ["script", "src"],
+ ["div", "innerHTML"],
+ ["script", "text"],
+ ];
+
+ testCases.forEach(c => {
+ const name = `${c[0]}.${c[1]} `;
+ test(t => {
+ s = document.createElement("script");
+ s.innerText = "1";
+ assert_equals("1", s.innerText.toString());
+ }, name + "without trusted types");
+ });
+
+ p = trustedTypes.createPolicy("policyA",
+ {createScript: s => s + 1, createHTML: s => s + 1, createScriptURL: s => s + 1});
+ testCases.forEach(c => {
+ const name = `${c[0]}.${c[1]} `;
+ test(t => {
+ s = document.createElement("script");
+ script = p.createScript("1");
+ s.innerText = script;
+ assert_equals(script.toString(), s.innerText.toString());
+ }, name + "with trusted types");
+ });
+
+ trustedTypes.createPolicy("default", {});
+ testCases.forEach(c => {
+ const name = `${c[0]}.${c[1]} `;
+ test(t => {
+ s = document.createElement("script");
+ s.innerText = "1";
+ assert_equals(s.innerText.toString(), "1");
+ }, name + "empty default");
+ });
+</script>
\ No newline at end of file
diff --git a/trusted-types/no-require-trusted-types-for-report-only.tentative.html.headers b/trusted-types/no-require-trusted-types-for-report-only.tentative.html.headers
new file mode 100644
index 0000000..fa87952
--- /dev/null
+++ b/trusted-types/no-require-trusted-types-for-report-only.tentative.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: trusted-types *
diff --git a/trusted-types/no-require-trusted-types-for.tentative.html b/trusted-types/no-require-trusted-types-for.tentative.html
new file mode 100644
index 0000000..4e11b03
--- /dev/null
+++ b/trusted-types/no-require-trusted-types-for.tentative.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+</head>
+<body>
+<script>
+ const testCases = [
+ ["script", "src"],
+ ["div", "innerHTML"],
+ ["script", "text"],
+ ];
+
+ testCases.forEach(c => {
+ const name = `${c[0]}.${c[1]} `;
+ test(t => {
+ s = document.createElement("script");
+ s.innerText = "1";
+ assert_equals("1", s.innerText.toString());
+ }, name + "without trusted types");
+ });
+
+ p = trustedTypes.createPolicy("policyA",
+ {createScript: s => s + 1, createHTML: s => s + 1, createScriptURL: s => s + 1});
+ testCases.forEach(c => {
+ const name = `${c[0]}.${c[1]} `;
+ test(t => {
+ s = document.createElement("script");
+ script = p.createScript("1");
+ s.innerText = script;
+ assert_equals(script.toString(), s.innerText.toString());
+ }, name + "with trusted types");
+ });
+
+ trustedTypes.createPolicy("default", {});
+ testCases.forEach(c => {
+ const name = `${c[0]}.${c[1]} `;
+ test(t => {
+ s = document.createElement("script");
+ s.innerText = "1";
+ assert_equals(s.innerText.toString(), "1");
+ }, name + "empty default");
+ });
+</script>
\ No newline at end of file
diff --git a/trusted-types/require-trusted-types-for-report-only.tentative.html b/trusted-types/require-trusted-types-for-report-only.tentative.html
new file mode 100644
index 0000000..25b4440
--- /dev/null
+++ b/trusted-types/require-trusted-types-for-report-only.tentative.html
@@ -0,0 +1,71 @@
+<!DOCTYPE html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+ function promise_violation(filter_arg) {
+ return _ => new Promise((resolve, reject) => {
+ function handler(e) {
+ let matches = (filter_arg instanceof Function)
+ ? filter_arg(e)
+ : (e.originalPolicy.includes(filter_arg));
+ if (matches) {
+ document.removeEventListener("securitypolicyviolation", handler);
+ e.stopPropagation();
+ resolve(e);
+ }
+ }
+
+ document.addEventListener("securitypolicyviolation", handler);
+ });
+ }
+
+ promise_test(t => {
+ let p = Promise.resolve()
+ .then(promise_violation("require-trusted-types-for 'script'"));
+
+ d = document.createElement("div");
+ d.innerHTML = "a";
+ assert_equals("a", d.innerHTML);
+ return p;
+ }, "Require trusted types for 'script' block create HTML.");
+
+ promise_test(t => {
+ let p = Promise.resolve()
+ .then(promise_violation("require-trusted-types-for 'script'"));
+
+ d = document.createElement("script");
+ d.innerText = "a";
+ assert_equals("a", d.innerText);
+ return p;
+ }, "Require trusted types for 'script' block create script.");
+
+ promise_test(t => {
+ let p = Promise.resolve()
+ .then(promise_violation("require-trusted-types-for 'script'"));
+
+ s = document.createElement("script");
+ s.src = "a";
+ assert_true(s.src.includes("/trusted-types/a"));
+ return p;
+ }, "Require trusted types for 'script' block create script URL.");
+
+ promise_test(t => {
+ return new Promise(resolve => {
+ p = trustedTypes.createPolicy("policyA", {createScript: s => s+1});
+ p1 = trustedTypes.createPolicy("policyA", {createHTML: _ => ""});
+ p2 = trustedTypes.createPolicy("default", {});
+ script = p.createScript("1");
+ assert_equals(script.toString(), "11");
+ s = document.createElement("script");
+ s.innerText = script;
+ assert_equals(script.toString(), s.innerText.toString());
+ s.innerText = "1";
+ assert_equals("1", s.innerText);
+ resolve();
+ });
+ }, "Set require trusted types for 'script' without CSP for trusted types don't block policy creation and using.");
+</script>
\ No newline at end of file
diff --git a/trusted-types/require-trusted-types-for-report-only.tentative.html.headers b/trusted-types/require-trusted-types-for-report-only.tentative.html.headers
new file mode 100644
index 0000000..c6412f8
--- /dev/null
+++ b/trusted-types/require-trusted-types-for-report-only.tentative.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
\ No newline at end of file
diff --git a/trusted-types/require-trusted-types-for.tentative.html b/trusted-types/require-trusted-types-for.tentative.html
new file mode 100644
index 0000000..95cfc4d
--- /dev/null
+++ b/trusted-types/require-trusted-types-for.tentative.html
@@ -0,0 +1,78 @@
+<!DOCTYPE html>
+<head>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
+</head>
+<body>
+<script>
+
+ function promise_violation(filter_arg) {
+ return _ => new Promise((resolve, reject) => {
+ function handler(e) {
+ let matches = (filter_arg instanceof Function)
+ ? filter_arg(e)
+ : (e.originalPolicy.includes(filter_arg));
+ if (matches) {
+ document.removeEventListener("securitypolicyviolation", handler);
+ e.stopPropagation();
+ resolve(e);
+ }
+ }
+
+ document.addEventListener("securitypolicyviolation", handler);
+ });
+ }
+
+ promise_test(t => {
+ let p = Promise.resolve()
+ .then(promise_violation("require-trusted-types-for 'script'"));
+ d = document.createElement("div");
+ assert_throws(new TypeError(),
+ _ => {
+ d.innerHTML = "a";
+ });
+ assert_equals("", d.innerHTML);
+ return p;
+ }, "Require trusted types for 'script' block create HTML.");
+
+ promise_test(t => {
+ let p = Promise.resolve()
+ .then(promise_violation("require-trusted-types-for 'script'"));
+ d = document.createElement("script");
+ assert_throws(new TypeError(),
+ _ => {
+ d.innerText = "a";
+ });
+ assert_equals("", d.innerText);
+ return p;
+ }, "Require trusted types for 'script' block create script.");
+
+ promise_test(t => {
+ let p = Promise.resolve()
+ .then(promise_violation("require-trusted-types-for 'script'"));
+ s = document.createElement("script");
+ assert_throws(new TypeError(),
+ _ => {
+ s.src = "a";
+ });
+ assert_equals("", s.src);
+ return p;
+ }, "Require trusted types for 'script' block create script URL.");
+
+ promise_test(t => {
+ return new Promise(resolve => {
+ p = trustedTypes.createPolicy("policyA", {createScript: s => s + 1});
+ p1 = trustedTypes.createPolicy("policyA", {createHTML: _ => ""});
+ p2 = trustedTypes.createPolicy("default", {createScript: s => s});
+ script = p.createScript("1");
+ assert_equals(script.toString(), "11");
+ s = document.createElement("script");
+ s.innerText = script;
+ assert_equals(script.toString(), s.innerText.toString());
+ s.innerText = "1";
+ assert_equals("1", s.innerText.toString());
+ resolve();
+ });
+ }, "Set require trusted types for 'script' without CSP for trusted types don't block policy creation and using.");
+</script>
\ No newline at end of file
diff --git a/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers b/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers
index 1bc33ad..6a40e40 100644
--- a/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers
+++ b/trusted-types/support/WorkerGlobalScope-importScripts.https.js.headers
@@ -1 +1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/support/navigation-report-only-support.html.headers b/trusted-types/support/navigation-report-only-support.html.headers
index fa87952..67b9ef7 100644
--- a/trusted-types/support/navigation-report-only-support.html.headers
+++ b/trusted-types/support/navigation-report-only-support.html.headers
@@ -1 +1 @@
-Content-Security-Policy-Report-Only: trusted-types *
+Content-Security-Policy-Report-Only: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/support/navigation-support.html.headers b/trusted-types/support/navigation-support.html.headers
index 1bc33ad..6a40e40 100644
--- a/trusted-types/support/navigation-support.html.headers
+++ b/trusted-types/support/navigation-support.html.headers
@@ -1 +1 @@
-Content-Security-Policy: trusted-types *
+Content-Security-Policy: trusted-types *; require-trusted-types-for 'script';
diff --git a/trusted-types/trusted-types-createHTMLDocument.tentative.html b/trusted-types/trusted-types-createHTMLDocument.tentative.html
index 6ab5f42..711e494 100644
--- a/trusted-types/trusted-types-createHTMLDocument.tentative.html
+++ b/trusted-types/trusted-types-createHTMLDocument.tentative.html
@@ -2,7 +2,7 @@
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types * 'allow-duplicates'">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types * 'allow-duplicates'; require-trusted-types-for 'script'">
</head>
<body>
<script>
diff --git a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
index 7902df1..7867310 100644
--- a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
+++ b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html
@@ -76,7 +76,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types *"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(promise_flush());
expect_throws(_ => eval('script_run_beacon="should not run"'));
assert_equals(script_run_beacon, 'never_overwritten');
diff --git a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
index 4bc0bd3..30fe3b1 100644
--- a/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
+++ b/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers
@@ -1,4 +1,4 @@
Content-Security-Policy: trusted-types *
Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
Content-Security-Policy: plugin-types bla/blubb
-
+Content-Security-Policy: require-trusted-types-for 'script'
diff --git a/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html b/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
index bd8933a..18c0352 100644
--- a/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
+++ b/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html
@@ -76,7 +76,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types *"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(promise_flush());
eval('script_run_beacon="report-only-does-not-stop"');
assert_equals(script_run_beacon, 'report-only-does-not-stop');
diff --git a/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers b/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
index ba26c77..1d70336 100644
--- a/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
+++ b/trusted-types/trusted-types-eval-reporting-report-only.tentative.https.html.headers
@@ -1,4 +1,5 @@
Content-Security-Policy-Report-Only: trusted-types *
Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
Content-Security-Policy: plugin-types bla/blubb
+Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
diff --git a/trusted-types/trusted-types-eval-reporting.tentative.https.html b/trusted-types/trusted-types-eval-reporting.tentative.https.html
index c751ae1..a521f94 100644
--- a/trusted-types/trusted-types-eval-reporting.tentative.https.html
+++ b/trusted-types/trusted-types-eval-reporting.tentative.https.html
@@ -68,7 +68,7 @@
promise_test(t => {
let beacon = 'never_overwritten';
let p = Promise.resolve()
- .then(promise_violation("trusted-types *"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(promise_flush());
assert_throws(new EvalError(),
_ => eval('beacon="should not run"'));
diff --git a/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers b/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
index 2e935f7..91a2be9 100644
--- a/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
+++ b/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers
@@ -1,4 +1,5 @@
Content-Security-Policy: trusted-types *
Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
Content-Security-Policy: plugin-types bla/blubb
+Content-Security-Policy: require-trusted-types-for 'script'
diff --git a/trusted-types/trusted-types-navigation.tentative.html b/trusted-types/trusted-types-navigation.tentative.html
index 7f17c64..657cbb7 100644
--- a/trusted-types/trusted-types-navigation.tentative.html
+++ b/trusted-types/trusted-types-navigation.tentative.html
@@ -12,7 +12,8 @@
}
function expectViolationAsMessage(sample) {
- const filter = e => (e.data.effectiveDirective == "trusted-types" &&
+ const filter = e => ((e.data.effectiveDirective == "require-trusted-types-for" ||
+ e.data.effectiveDirective == "trusted-types") &&
(!sample || e.data.sample.startsWith(sample)));
return new expectMessage(filter);
}
diff --git a/trusted-types/trusted-types-report-only.tentative.https.html b/trusted-types/trusted-types-report-only.tentative.https.html
index bf0a1eb..fcb7784 100644
--- a/trusted-types/trusted-types-report-only.tentative.https.html
+++ b/trusted-types/trusted-types-report-only.tentative.https.html
@@ -77,8 +77,8 @@
return p.then(report => {
assert_equals(report.documentURI, "" + window.location);
assert_equals(report.disposition, "report");
- assert_equals(report.effectiveDirective, "trusted-types");
- assert_equals(report.violatedDirective, "trusted-types");
+ assert_equals(report.effectiveDirective, "require-trusted-types-for");
+ assert_equals(report.violatedDirective, "require-trusted-types-for");
assert_true(report.originalPolicy.startsWith("trusted-types two;"));
});
}, "Trusted Type violation report: check report contents");
diff --git a/trusted-types/trusted-types-report-only.tentative.https.html.headers b/trusted-types/trusted-types-report-only.tentative.https.html.headers
index b38cfae..857a8b3 100644
--- a/trusted-types/trusted-types-report-only.tentative.https.html.headers
+++ b/trusted-types/trusted-types-report-only.tentative.https.html.headers
@@ -1 +1 @@
-Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php
+Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php; require-trusted-types-for 'script';
diff --git a/trusted-types/trusted-types-reporting.tentative.https.html b/trusted-types/trusted-types-reporting.tentative.https.html
index 10a951f..ef282dc 100644
--- a/trusted-types/trusted-types-reporting.tentative.https.html
+++ b/trusted-types/trusted-types-reporting.tentative.https.html
@@ -125,13 +125,13 @@
}, "Trusted Type violation report: creating a forbidden-but-not-reported policy.");
promise_test(t => {
- let p = promise_violation("trusted-types two")();
+ let p = promise_violation("require-trusted-types-for 'script'")();
expect_throws(_ => document.getElementById("script").src = url);
return p;
}, "Trusted Type violation report: assign string to script url");
promise_test(t => {
- let p = promise_violation("trusted-types two")();
+ let p = promise_violation("require-trusted-types-for 'script'")();
expect_throws(_ => document.getElementById("div").innerHTML = "abc");
return p;
}, "Trusted Type violation report: assign string to html");
@@ -152,7 +152,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types two"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("Element.innerHTML"))
.then(expect_sample("abc"));
@@ -162,7 +162,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types two"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLScriptElement.src"));
expect_throws(_ => { document.getElementById("script").src = "" });
@@ -171,7 +171,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types two"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLElement.innerText"))
.then(expect_sample("2+2;"));
@@ -181,7 +181,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types one"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("eval"))
.then(expect_sample("2+2"))
@@ -195,7 +195,7 @@
// We expect the sample string to always contain the name, and at least the
// start of the value, but it should not be excessively long.
let p = Promise.resolve()
- .then(promise_violation("trusted-types two"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLElement.innerText"))
.then(expect_sample("abbb"))
@@ -214,7 +214,7 @@
promise_test(t => {
let p = Promise.resolve()
- .then(promise_violation("trusted-types one"))
+ .then(promise_violation("require-trusted-types-for 'script'"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLScriptElement.src"))
.then(expect_sample("abc"));
diff --git a/trusted-types/trusted-types-reporting.tentative.https.html.headers b/trusted-types/trusted-types-reporting.tentative.https.html.headers
index 947a151..fa8acea 100644
--- a/trusted-types/trusted-types-reporting.tentative.https.html.headers
+++ b/trusted-types/trusted-types-reporting.tentative.https.html.headers
@@ -2,4 +2,5 @@
Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php
Content-Security-Policy: plugin-types bla/blubb
Content-Security-Policy: default-src * 'unsafe-inline'
+Content-Security-Policy: require-trusted-types-for 'script'
diff --git a/trusted-types/tt-block-eval.tentative.html b/trusted-types/tt-block-eval.tentative.html
index e721b0e..8fe8aa5 100644
--- a/trusted-types/tt-block-eval.tentative.html
+++ b/trusted-types/tt-block-eval.tentative.html
@@ -3,7 +3,7 @@
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
- <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+ <meta http-equiv="Content-Security-Policy" content="trusted-types *; require-trusted-types-for 'script'">
</head>
<body>
<script>