Bug 1805632 - Add a new pref just for Element.setHTML without enabling the Sanitizer interface. r=freddyb,webidl,edgar

The purpose of this is to allow using setHTML(text), without specifiying the sanitizer and thus always getting
the default sanitizer policy.

Differential Revision: https://phabricator.services.mozilla.com/D164677
This commit is contained in:
Tom Schuster 2022-12-19 15:56:35 +00:00
parent 649680ae32
commit 8cb9391ce6
4 changed files with 11 additions and 3 deletions

View File

@ -1,6 +1,7 @@
[DEFAULT]
prefs =
dom.security.sanitizer.enabled=true
dom.security.setHTML.enabled=true
dom.security.sanitizer.rewrite_no_bounty=true
scheme=https
[test_sanitizer_api.html]

View File

@ -401,6 +401,6 @@ dictionary SetHTMLOptions {
};
partial interface Element {
[SecureContext, UseCounter, Throws, Pref="dom.security.sanitizer.enabled"]
undefined setHTML(DOMString aInnerHTML, optional SetHTMLOptions options = {});
[SecureContext, UseCounter, Throws, Pref="dom.security.setHTML.enabled"]
undefined setHTML(DOMString aInnerHTML, optional SetHTMLOptions options = {});
};

View File

@ -3705,6 +3705,13 @@
value: false
mirror: always
# Pref that controls the Element.setHTML API idenpendetly of the sanitizer
# API.
- name: dom.security.setHTML.enabled
type: bool
value: false
mirror: always
# The Sanitizer implementation is currently being rewritten and
# is known to be incomplete. Fuzzing and testing and this point
# would be premature.

View File

@ -1 +1 @@
prefs: [dom.security.sanitizer.enabled:true, dom.security.sanitizer.rewrite_no_bounty:true]
prefs: [dom.security.sanitizer.enabled:true, dom.security.setHTML.enabled:true, dom.security.sanitizer.rewrite_no_bounty:true]