Rewrite Trusted types tests for CSP violations

Currently the listener to "securitypolicyviolation" is added before actually running the statement that triggers violations, so it could be possible that some violations are not caught. This bad pattern is duplicated in several `trusted-types*reporting*` tests. This patch adds a new helper file to properly wrap the listener registration and statement execution in a promise, and reuses it in existing tests. w3c/trusted-types#576
web-platform-tests · Jan 16, 2025 · fea1317 · fea1317
1 parent c9cae21
commit fea1317
Show file tree

Hide file tree

Showing 2 changed files with 194 additions and 186 deletions.
diff --git a/trusted-types/support/csp-violations.js b/trusted-types/support/csp-violations.js
@@ -0,0 +1,60 @@
+const trustedTypeDirectives = [
+  // https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-csp-directive
+  "require-trusted-types-for",
+  // https://w3c.github.io/trusted-types/dist/spec/#trusted-types-csp-directive
+  "trusted-types",
+];
+
+// A generic helper that runs function fn and return a promise resolving with
+// an array of reported violations for trusted type directives and a possible
+// exception thrown.
+function trusted_type_violations_and_exception_for(fn) {
+  return new Promise((resolve, reject) => {
+    // Listen for security policy violations.
+    let result = { violations: [], exception: null };
+    let handler = e => {
+      if (trustedTypeDirectives.includes(e.effectiveDirective)) {
+        result.violations.push(e);
+      } else if (e.effectiveDirective === "object-src") {
+        document.removeEventListener("securitypolicyviolation", handler);
+        e.stopPropagation();
+        resolve(result);
+      } else {
+	reject("Unexpected violation for directive ${e.effectiveDirective}");
+      }
+    }
+    document.addEventListener("securitypolicyviolation", handler);
+
+    // Run the specified function and record any exception.
+    try {
+      fn();
+    } catch(e) {
+      result.exception = e;
+    }
+
+    // Force an "object-src" violation, to make sure all the previous violations
+    // have been delivered. This assumes the test file's associated .headers
+    // file contains Content-Security-Policy: object-src 'none'.
+    var o = document.createElement('object');
+    o.type = "video/mp4";
+    o.data = "dummy.webm";
+    document.body.appendChild(o);
+  });
+}
+
+// Helper function when we expect one violation and exception.
+async function trusted_type_violation_for(expectedException, fn) {
+  let {violations, exception} =
+      await trusted_type_violations_and_exception_for(fn);
+  assert_equals(violations.length, 1, "a single violation reported");
+  assert_true(exception instanceof expectedException, "TypeError exception reported");
+  return violations[0];
+}
+
+// Helper function when we expect no violation or exception.
+async function no_trusted_type_violation_report_for(fn) {
+  let {violations, exception} =
+      await trusted_type_violations_and_exception_for(fn);
+  assert_equals(violations.length, 0, "no violation reported");
+  assert_equals(exception, null, "no exception thrown");
+}