-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trusted types attributes #1268
base: main
Are you sure you want to change the base?
Trusted types attributes #1268
Conversation
This is a clone of #1247 where I will finish any outstanding work to get this across the line |
3562fcb
to
ac5b4aa
Compare
524d8cd
to
f8877b6
Compare
See also #1258 which is another integration point with the DOM spec that we need for TT. |
f8877b6
to
ee9915e
Compare
dom.bs
Outdated
<li><p><a>Validate and set attribute value</a> <var>attr</var>'s <a for="Attr">value</a> for | ||
<var>attr</var> with <var>element</var>. | ||
|
||
<li><p>If <var>element</var> <a lt="has an attribute">has</a> an <a>attribute</a> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still find it difficult to wrap my head around this logic. I think conceptually, we want to have the old value -- from before the call, and thus before a default policy might have mucked with it. That's what should go into the change attribute logic. But once we have that, I'm not sure why we'd need to throw an exception here. I'm not sure why we'd have to care whether the default policy does anything funny with the attribute in the mean time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've read through this spec path and I believe that, if the default policy removes the existing attribute node, then this will call replace an attribute, which in turn calls replace a list item, which results in a no-op because the old value no longer exists to be replaced.
So I think in this situation you're probably right the spec doesn't need to do anything, will make that change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having said that I'm slightly uneasy about stuff like attribute change steps still firing and how that all works spec wise.
Both Chromium and WebKit don't actually follow the spec 100% here and so I think would actually result in a different behaviour to this spec (the index lookup happens after the TT call) so that's also not ideal.
I think I've addressed all the comments from #1247. I do want to point out Chrome and WebKit don't (or at least not in a way obvious to me) 100% follow the flow of the spec and as a result this may result in differences specifically in weird cases with attribute mutation. So that bit especially it would be good to get feedback on. It's also worth being aware that like Chromium's implementation this spec means that certain ways to update a nodes value don't work with a trusted type object as a user might expect. (e.g. |
ba80870
to
36476b5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is either incomplete or makes many cosmetic changes that would be best proposed separately as they confuse me quite a bit.
370f5c9
to
4421d50
Compare
Apologies I thought I'd reverted all of these changes but I missed a few, it's because I changed stuff and then changed it back and this led to some wonky diffs. Have hopefully reverted all of these unnecessary changes |
1d42460
to
1eeaf00
Compare
dom.bs
Outdated
<li><p>If <var>attribute</var>'s <a for=Attr>element</a> <a lt="has an attribute">has</a> | ||
an <a>attribute</a> <var>attribute</var>, then <a>handle attribute changes</a> for | ||
<var>attribute</var> with <var>attribute</var>'s <a for=Attr>element</a>, <var>oldValue</var>, and | ||
<var>value</var>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be value or attribute's value? They can be different, right?
@otherdaniel, @annevk , and @smaug---- regarding the case where the default policy changes assumptions about the existence of an attribute mid-way through what would you prefer the spec say to do? Currently I've specced to throw, but Chromium currently re-looks up the index (spec doesn't explicitly work on an index basis but Chromium and WebKit do) |
Attributes are stored in a list and those do have indices per Infra. What am I missing? |
Sorry I mean algorithmically the spec and implementations don't follow the same flow. So it's trickier to reason between the spec and implementation. This might just be my lack of familiarity with these APIs too. |
The path of least resistance is prolly matching Chromium. Introducing new paths that throw is always risky. If you are looking for guidance as to how, I'd need quite a bit more context to provide helpful suggestions. |
4089eaf
to
02db8c7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some questions. I could be missing something in TT spec which somehow covers the problematic cases, but please at least explain and ask review again.
<ol> | ||
<li><p>Return the result of calling | ||
<a abstract-op>get Trusted Types-compliant attribute value</a> for <var>attribute</var>, with | ||
<var>element</var>, <var>value</var>. [[!TRUSTED-TYPES]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this may throw. Do the callers of this method handle that in some way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They will end up rethrowing the exception which is what's expected.
<var>attr</var>'s <a for=Attr>value</a> for <var>attr</var>, with <var>element</var>. | ||
|
||
<li><p>Set <var>attr</var>'s <a for=Attr>value</a> to <var>verifiedValue</var>. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, so doing the verification may run scripts. And that means oldAttr might not be anymore in the element it used to be. Could that cause issues? Could the value be validated first for certain kind of element but then used on some other kind of element?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The default policy doesn't provide context about which element an attribute is set on only the name of the attribute. In this case this algorithm is triggered by APIs such as setAttributeNode or setNamedItem.
So I don't think there's anything that can happen here that's too bad. Also any mechanism you use inside of the default policy will itself trigger the default policy so it should be fine?
<li><p>Let <var>verifiedValue</var> be the result of calling <a>verify attribute value</a> | ||
<var>value</var> for <var>attribute</var>, with <a>this</a>. | ||
|
||
<li><p><a lt="change an attribute">Change</a> <var>attribute</var> to <var>verifiedValue</var>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't this lead to effectively null pointer crashes in algorithms if attribute has been moved out from an element by the tt callback?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess potentially if some sub algorithm of change an attribute is assuming that element must exist? Fwiw in practice this doesn't cause issues from what I can see.
Not sure what the best fix here would be?
Now that 809bfa2 is merged this should add the Infrastructure changes back in again as this now introduces the dependency on Trusted Types. |
See w3c/trusted-types#418 and whatwg#789. Supercedes PR whatwg#809.
…erved in Chrome." This reverts commit 2f00466.
This reverts commit 6e40964.
1ec907b
to
d6b3b5a
Compare
https://bugs.webkit.org/show_bug.cgi?id=275352 Reviewed by Darin Adler. The DOM spec PR no longer enforced Trusted Types within toggleAttribute so this removes that from the implementation. See whatwg/dom#1268 * LayoutTests/imported/w3c/web-platform-tests/trusted-types/Element-toggleAttribute-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/trusted-types/Element-toggleAttribute.html: Added. * Source/WebCore/dom/Element.cpp: (WebCore::Element::toggleAttribute): Canonical link: https://commits.webkit.org/279950@main
This is for consistency with how it is done in the HTML specification and in the PR to DOM (whatwg/dom#1268). This is not web-exposed but may matter for implementations. For example, they may generate different C++ structure to represent `(TrustedHTML or DOMString)` and `(DOMString or TrustedHTML)`.
This calls the get Trusted Types-compliant attribute value algorithm from Trusted Types (w3c/trusted-types#418) from attribute's change, append, and replace.
Changed the signature of setAttribute and setAttributeNS to accept Trusted Types as values. The underlying Attr node's values continue to be DOMString, so moving nodes across elements or adding standalone attributes to elements can cause TT violations. This matches WPT tests and the Chromium's implementation.
See and #789. Supercedes #809 and #1247
(See WHATWG Working Mode: Changes for more details.)
Preview | Diff