block-string-assignment-to-Element-setAttributeNS.html

Enable keyboard shortcuts

This test has a WPT meta file that expects 3 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /trusted-types/block-string-assignment-to-Element-setAttributeNS.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<html>

<head>

  <script src="/resources/testharness.js"></script>

  <script src="/resources/testharnessreport.js"></script>

  <script src="support/helper.sub.js"></script>

  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">

</head>

<body>

<script>

    test(t => {

      assert_element_accepts_trusted_html_set_ns(window, '0', t, 'a', 'b', RESULTS.HTML);

    }, "Element.setAttributeNS assigned via policy (successful HTML transformation)");

    test(t => {

      assert_element_accepts_trusted_script_set_ns(window, '1', t, 'a', 'b', RESULTS.SCRIPT);

    }, "Element.setAttributeNS assigned via policy (successful Script transformation)");

    test(t => {

      assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL);

    }, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)");

    const htmlNamespace = "http://www.w3.org/1999/xhtml";

    // Unknown attributes should not be TT checked:

    test(t => {

      assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string', htmlNamespace, null);

    }, "Element.setAttributeNS accepts untrusted string for non-specced accessor");

    test(t => {

      assert_element_accepts_non_trusted_type_set_ns('a', 'b', null, 'null', htmlNamespace, null);

    }, "Element.setAttributeNS accepts null for non-specced accessor");

    // Setup trusted values for use in subsequent tests.

    const script_url = createScriptURL_policy(window, '5').createScriptURL(INPUTS.ScriptURL);

    const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML);

    const script = createScript_policy(window, '7').createScript(INPUTS.Script);

    const xlinkNamespace = "http://www.w3.org/1999/xlink";

    const svgNamespace = "http://www.w3.org/2000/svg";

    // svg:script xlink:href=... expects a TrustedScriptURL.

    // Assigning a TrustedScriptURL works.

    test(t => {

      let elem = document.createElementNS(svgNamespace, "script");

      elem.setAttributeNS(xlinkNamespace, "href", script_url);

      assert_equals("" + RESULTS.ScriptURL,

                    elem.getAttributeNodeNS(xlinkNamespace, "href").value);

    }, "Assigning TrustedScriptURL to <svg:script xlink:href=...> works");

    // Assigning things that ought to not work.

    test(t => {

      let elem = document.createElementNS(svgNamespace, "script");

      const values = [ "abc", null, html, script ];

      for (const v of values) {

        assert_throws_js(TypeError, _ => {

          elem.setAttributeNS(xlinkNamespace, "href", v);

});

    }, "Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works");

    // <https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation>.

    const nonLowerCaseTests = [

      { element: "iframe", attribute: "SRCDOC", elementNamespace: htmlNamespace },

      { element: "script", attribute: "SRC", elementNamespace: htmlNamespace },

      { element: "script", attribute: "HREF", elementNamespace: svgNamespace },

      { element: "script", attribute: "HREF", elementNamespace: svgNamespace,

        attributeNamespace: xlinkNamespace },

];

    for (const testData of nonLowerCaseTests) {

      const attributeNamespace = testData.attributeNamespace ?? null;

      test(t => {

        assert_element_accepts_non_trusted_type_set_ns(testData.element, testData.attribute, "v",

        "v", testData.elementNamespace, attributeNamespace);

      }, "Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute \"" +

         testData.attribute + "\" (ns=" + attributeNamespace + ") for \"" + testData.element +

         "\" element (ns=" + testData.elementNamespace + ").");

</script>