set-event-handlers-content-attributes.tentative.html

Enable keyboard shortcuts

This WPT test may be referenced by the following Test IDs:
- /trusted-types/set-event-handlers-content-attributes.tentative.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<head>

  <script src="/resources/testharness.js"></script>

  <script src="/resources/testharnessreport.js"></script>

  <script src="support/namespaces.js"></script>

  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">

</head>

<body>

<script type="module">

  import { getEventHandlerAttributeWithInterfaceNames } from './support/event-handler-attributes.mjs';

  promise_setup(async function() {

    const input_string = "unsafe_handler()";

    const output_string = "safe_handler()";

    let seenSinkName;

    function resetSeenSinkName() { seenSinkName = undefined; }

    trustedTypes.createPolicy("default", {

      createScript: (input, trustedTypeName, sinkName) => {

        assert_equals(input, input_string);

        assert_equals(trustedTypeName, "TrustedScript");

        assert_equals(seenSinkName, undefined);

        seenSinkName = sinkName;

        return output_string;

});

    function elementsImplementingInterface(interfaceName) {

      switch (interfaceName) {

      case 'GlobalEventHandlers':

          return [document.createElement("div"),

                  document.createElementNS(NSURI_SVG, "g"),

                  document.createElementNS(NSURI_MATHML, "mrow")];

      case 'WindowEventHandlers':

          return [document.createElement("body"),

                  document.createElement("frameset")];

      case 'HTMLMediaElement':

          return [document.createElement("audio"),

                  document.createElement("video")];

      case 'SVGAnimationElement':

         return [document.createElementNS(NSURI_SVG, "animation")];

      default:

        throw "Unknown interface";

    for (const attr of await getEventHandlerAttributeWithInterfaceNames()) {

      elementsImplementingInterface(attr.interfaceName).forEach(element => {

         function cleanup() {

           resetSeenSinkName();

           element.removeAttribute(attr.name);

         promise_test(async t => {

           t.add_cleanup(cleanup);

           element.setAttribute(attr.name, input_string);

           assert_equals(seenSinkName, `Element ${attr.name}`);

           assert_equals(element.getAttribute(attr.name),output_string);

         }, `${element.tagName}.setAttribute(${attr.name}, "${input_string}") calls default policy`);

         promise_test(async t => {

           t.add_cleanup(cleanup);

           element.setAttributeNS(null, attr.name, input_string);

           assert_equals(seenSinkName, `Element ${attr.name}`);

           assert_equals(element.getAttribute(attr.name),output_string);

         }, `${element.tagName}.setAttributeNS(${attr.name}, "${input_string}") calls default policy`);

});

    // The following names correspond to event handler content attributes, but

    // not for the div element. The current version of the spec says we should

    // still run the default policy on them.

    "onafterprint",    // body or frameset elements.

    "onwaitingforkey", // audio or video elements.

    "onbegin",         // SVG animation element.

    ].forEach(attrName => {

      promise_test(async t => {

        t.add_cleanup(resetSeenSinkName);

        let element = document.createElement("div");

        element.setAttribute(attrName, input_string);

        assert_equals(seenSinkName, `Element ${attrName}`);

        assert_equals(element.getAttribute(attrName), output_string);

      }, `DIV.setAttribute("${attrName}", "${input_string}") calls default policy`);

});

    // The following names do not correspond to any event handler content

    // attributes on a DOM element, so default policy should not apply.

    "onreadystatechange", // XMLHttpRequest, Document

    "onvisibilitychange", // Document

    "ondevicemotion", // Window

    "ondeviceorientation", // Window

    "ondeviceorientationabsolute", // Window

    "onuserproximity", // Window

    "ondevicelight", // Window

    "onvrdisplayactivate", // Window

    "onvrdisplaydeactivate", // Window

    "onvrdisplayconnect", // Window

    "onvrdisplaydisconnect", // Window

    "onvrdisplaypresentchange", // Window

    "onopen",             // EventSource, RTCDataChannel, WebSocket, etc

    "ondoesnotexist",     // starts with "on" but not defined in any spec.

    ].forEach(attrName => {

      promise_test(async t => {

        t.add_cleanup(resetSeenSinkName);

        let element = document.createElement("div");

        element.setAttribute(attrName, input_string);

        assert_equals(seenSinkName, undefined);

        assert_equals(element.getAttribute(attrName), input_string);

      }, `DIV.setAttribute("${attrName}", "${input_string}") does not call default policy`);

});

});

</script>

</body>