Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-26 06:11:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1589409 [wpt PR 19762] - [Trusted Types] Remove TrustedURL., a=testonly

Browse Source 
Automatic update from web-platform-tests
[Trusted Types] Remove TrustedURL.

The current Trusted Types spec no longer supports TrustedURL. This CL adapts
to the spec.

Reland after revert (crrev.com/c/1866406)

Bug: 1002555
Change-Id: Ia683ad3ff4e7390ba59bf7313fd605c976cea3b1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1834142
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#706886}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1864798
Cr-Commit-Position: refs/heads/master@{#706959}

--

wpt-commits: 776c49d09c52ec0770b847892380f96b09655b14
wpt-pr: 19762
This commit is contained in:
Daniel Vogelheim 2019-10-22 16:19:41 +00:00 committed by James Graham
parent bd0bc2813e
commit ea03eefa00
26 changed files with 57 additions and 734 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
testing/web-platform/tests/interfaces/trusted-types.tentative.idl
View File

@ -3,7 +3,6 @@
typedef (DOMString or TrustedHTML) HTMLString;
typedef (DOMString or TrustedScript) ScriptString;
typedef (DOMString or TrustedScriptURL) ScriptURLString;
typedef (USVString or TrustedURL) URLString;
[Exposed=(Window, Worker)]
interface TrustedHTML {
@ -20,11 +19,6 @@ interface TrustedScriptURL {
stringifier;
};
[Exposed=(Window, Worker)]
interface TrustedURL {
stringifier;
};
[Exposed=(Window, Worker)]
interface TrustedTypePolicyFactory {
[Unforgeable] TrustedTypePolicy createPolicy(DOMString policyName, TrustedTypePolicyOptions policyOptions);
@ -38,14 +32,12 @@ interface TrustedTypePolicy {
[Unforgeable] TrustedHTML createHTML(DOMString input);
[Unforgeable] TrustedScript createScript(DOMString input);
[Unforgeable] TrustedScriptURL createScriptURL(DOMString input);
[Unforgeable] TrustedURL createURL(DOMString input);
};
dictionary TrustedTypePolicyOptions {
CreateHTMLCallback createHTML;
CreateScriptCallback createScript;
CreateURLCallback createScriptURL;
CreateURLCallback createURL;
};
callback CreateHTMLCallback = DOMString (DOMString input);

27
testing/web-platform/tests/trusted-types/Element-setAttribute.tentative.html
View File

@ -6,29 +6,6 @@
</head>
<body>
<script>
// TrustedURL Assignments
let testCases = [
[ 'a', 'href' ],
[ 'area', 'href' ],
[ 'base', 'href' ],
[ 'frame', 'src' ],
[ 'iframe', 'src' ],
[ 'img', 'src' ],
[ 'input', 'src' ],
[ 'link', 'href' ],
[ 'video', 'src' ],
[ 'object', 'data' ],
[ 'object', 'codeBase' ],
[ 'source', 'src' ],
[ 'track', 'src' ]
];
testCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_url_explicit_set(window, c, t, c[0], c[1], RESULTS.URL);
}, c[0] + "." + c[1] + " assigned via policy (successful URL transformation)");
});
// TrustedScriptURL Assignments
let scriptTestCases = [
[ 'embed', 'src' ],
@ -54,8 +31,8 @@
// Other attributes can be assigned with TrustedTypes or strings or null values
test(t => {
assert_element_accepts_trusted_url_explicit_set(window, 'arel', t, 'a', 'rel', RESULTS.URL);
}, "a.rel assigned via policy (successful URL transformation)");
assert_element_accepts_trusted_script_url_explicit_set(window, 'scriptsrc1', t, 'script', 'src', RESULTS.SCRIPTURL);
}, "script.src assigned via policy (successful script transformation)");
test(t => {
assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', 'A string', 'A string');

7
testing/web-platform/tests/trusted-types/Element-setAttributeNS.tentative.html
View File

@ -18,10 +18,8 @@
assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL);
}, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)");
test(t => {
assert_element_accepts_trusted_url_set_ns(window, '3', t, 'a', 'b', RESULTS.URL);
}, "Element.setAttributeNS assigned via policy (successful URL transformation)");
// TODO: Is there any non-URL, namespaced accessor left?
/*
test(t => {
let p = createURL_policy(window, '5');
let url = p.createURL(INPUTS.URL);
@ -31,5 +29,6 @@
let attr_node = elem.getAttributeNodeNS("http://www.w3.org/1999/xlink", "href");
assert_equals(attr_node.value + "", RESULTS.URL);
}, "Element.setAttributeNS accepts a URL on <svg:image xlink:href/>");
*/
</script>

22
testing/web-platform/tests/trusted-types/HTMLElement-generic.tentative.html
View File

@ -7,28 +7,6 @@
<body>
<script>
var testnb = 0;
// TrustedURL Assignments
const URLTestCases = [
[ 'a', 'href' ],
[ 'area', 'href' ],
[ 'base', 'href' ],
[ 'frame', 'src' ],
[ 'iframe', 'src' ],
[ 'img', 'src' ],
[ 'input', 'src' ],
[ 'link', 'href' ],
[ 'video', 'src' ],
[ 'object', 'data' ],
[ 'object', 'codeBase' ],
[ 'source', 'src' ],
[ 'track', 'src' ]
];
URLTestCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_url(window, ++testnb, t, c[0], c[1], RESULTS.URL);
}, c[0] + "." + c[1] + " assigned via policy (successful URL transformation)");
});
// TrustedScriptURL Assignments
const scriptURLTestCases = [

13
testing/web-platform/tests/trusted-types/Location-assign.tentative.html
View File

@ -1,13 +0,0 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<body>
<script>
test(t => {
let p = createURL_policy(window, 1);
let url = p.createURL(location.href + "#xxx");
location.assign(url);
assert_equals("" + url, location.href, "location href");
}, "location.assign via policy (successful URL transformation).");
</script>

13
testing/web-platform/tests/trusted-types/Location-href.tentative.html
View File

@ -1,13 +0,0 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<body>
<script>
test(t => {
let p = createURL_policy(window, 1);
let url = p.createURL(location.href + "#xxx");
location.href = url;
assert_equals("" + url, location.href, "location href");
}, "location.href assigned via policy (successful URL transformation).");
</script>

13
testing/web-platform/tests/trusted-types/Location-replace.tentative.html
View File

@ -1,13 +0,0 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<body>
<script>
test(t => {
let p = createURL_policy(window, 1);
let url = p.createURL(location.href + "#xxx");
location.replace(url);
assert_equals("" + url, location.href, "location href");
}, "location.replace via policy (successful URL transformation).");
</script>

12
testing/web-platform/tests/trusted-types/TrustedTypePolicy-createXXX.tentative.html
View File

@ -12,10 +12,8 @@
createScript: s => s
});
assert_throws(new TypeError(), _ => { p1.createScriptURL("foo"); });
assert_throws(new TypeError(), _ => { p1.createURL("foo"); });
const p2 = trustedTypes.createPolicy("policyURLAndScriptURL", {
createURL: s => s,
createScriptURL: s => s
});
assert_throws(new TypeError(), _ => { p2.createHTML("foo"); });
@ -26,23 +24,18 @@
const noopPolicy = {
createHTML: (s) => s,
createScriptURL: (s) => s,
createURL: (s) => s,
createScript: (s) => s,
};
policy = trustedTypes.createPolicy(Math.random(), noopPolicy, true);
let el = document.createElement("div");
el.title = policy.createHTML(INPUTS.URL);
assert_equals(el.title, INPUTS.URL);
el.title = policy.createURL(INPUTS.HTML);
assert_equals(el.title, INPUTS.HTML);
el.title = policy.createHTML(INPUTS.SCRIPTURL);
assert_equals(el.title, INPUTS.SCRIPTURL);
}, "Attributes without type constraints will work as before.");
test(t => {
const policy = trustedTypes.createPolicy("nullpolicy", null);
assert_throws(new TypeError(), _ => { policy.createScriptURL("foo"); });
assert_throws(new TypeError(), _ => { policy.createURL("foo"); });
assert_throws(new TypeError(), _ => { policy.createHTML("foo"); });
assert_throws(new TypeError(), _ => { policy.createScript("foo"); });
}, "trustedTypes.createPolicy(.., null) creates empty policy.");
@ -95,7 +88,6 @@
const testCases = [
[TrustedHTML, "createHTML", "whatever", stringTestCases],
[TrustedScript, "createScript", "whatever", stringTestCases],
[TrustedURL, "createURL", INPUTS.SCRIPTURL, urlTestCases],
[TrustedScriptURL, "createScriptURL", INPUTS.SCRIPTURL, urlTestCases],
];

75
testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-createPolicy-createXYZTests.tentative.html
View File

@ -224,79 +224,4 @@
p.createURL(INPUTS.URL);
});
}, "createScriptURL defined - calling undefined callbacks throws");
//URL tests
function createURLTest(policyName, policy, expectedURL, t) {
let p = window.trustedTypes.createPolicy(policyName, policy);
let url = p.createURL(INPUTS.URL);
assert_true(url instanceof TrustedURL);
assert_true(trustedTypes.isURL(url));
assert_equals(url + "", expectedURL);
}
test(t => {
createURLTest('TestPolicyURL1', { createURL: s => s }, INPUTS.URL, t);
}, "url = identity function");
test(t => {
createURLTest('TestPolicyURL2', { createURL: s => null }, "", t);
}, "url = null");
var URLstr = '#x';
test(t => {
createURLTest('TestPolicyURL3', { createURL: s => s + URLstr }, INPUTS.URL + URLstr, t);
}, "url = string + global string");
var URLx = 'global';
test(t => {
createURLTest('TestPolicyURL4', { createURL: s => { URLx = s; return s; } }, INPUTS.URL, t);
assert_equals(URLx, INPUTS.URL);
}, "url = identity function, global string changed");
test(t => {
let p = window.trustedTypes.createPolicy('TestPolicyURL5', {
createURL: s => { throw new Error(); }
});
assert_throws(new Error(), _ => {
p.createURL(INPUTS.URL);
});
}, "url = callback that throws");
function getURL(s) {
return s + this.bar;
}
var obj = {
"bar": "#x"
}
test(t => {
createURLTest('TestPolicyURL6', { createURL: getURL.bind(obj) }, INPUTS.URL + "#x", t);
}, "url = this bound to an object");
var bar = "#x";
test(t => {
createURLTest('TestPolicyURL7', { createURL: s => getURL(s) }, INPUTS.URL + bar, t);
}, "url = this without bind");
test(t => {
let p = window.trustedTypes.createPolicy('TestPolicyURL8', null);
assert_throws(new TypeError(), _ => {
p.createURL(INPUTS.URL);
});
}, "url - calling undefined callback throws");
test(t => {
let p = window.trustedTypes.createPolicy('TestPolicyURL9', { createURL: createURLJS });
assert_throws(new TypeError(), _ => {
p.createHTML(INPUTS.HTML);
});
assert_throws(new TypeError(), _ => {
p.createScript(INPUTS.SCRIPT);
});
assert_throws(new TypeError(), _ => {
p.createScriptURL(INPUTS.SCRIPTURL);
});
}, "createURL defined - calling undefined callbacks throws");
</script>

15
testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-getPropertyType.tentative.html
View File

@ -8,10 +8,11 @@
<div id="target"></div>
<script>
test(t => {
assert_equals(trustedTypes.getPropertyType("a", "href"), "TrustedURL");
assert_equals(trustedTypes.getPropertyType("a", "id"), null);
assert_equals(trustedTypes.getPropertyType("a", "b"), null);
}, "sanity check trustedTypes.getPropertyType for the HTML a element.");
assert_equals(trustedTypes.getPropertyType("script", "text"), "TrustedScript");
assert_equals(trustedTypes.getPropertyType("script", "src"), "TrustedScriptURL");
assert_equals(trustedTypes.getPropertyType("script", "id"), null);
assert_equals(trustedTypes.getPropertyType("script", "b"), null);
}, "sanity check trustedTypes.getPropertyType for the HTML script element.");
test(t => {
assert_equals(trustedTypes.getAttributeType("img", "onerror"), "TrustedScript");
@ -28,11 +29,9 @@
test(t => {
// returns the proper type for attribute-related properties
assert_equals(trustedTypes.getPropertyType("script", "src"), "TrustedScriptURL");
assert_equals(trustedTypes.getPropertyType("img", "src"), "TrustedURL");
// is case insensitive for tag names
assert_equals(trustedTypes.getPropertyType("SCRIPT", "src"), "TrustedScriptURL");
assert_equals(trustedTypes.getPropertyType("ImG", "src"), "TrustedURL");
// is case sensitive for property names
assert_equals(trustedTypes.getPropertyType("script", "sRc"), null);
@ -53,7 +52,6 @@
test(t => {
// returns the proper type
assert_equals(trustedTypes.getAttributeType('script', 'src'), 'TrustedScriptURL');
assert_equals(trustedTypes.getAttributeType('img', 'src'), 'TrustedURL');
// ignores attributes from unknown namespaces
assert_equals(trustedTypes.getAttributeType(
@ -61,11 +59,9 @@
// is case insensitive for element names
assert_equals(trustedTypes.getAttributeType('SCRIPT', 'src'), 'TrustedScriptURL');
assert_equals(trustedTypes.getAttributeType('imG', 'src'), 'TrustedURL');
// is case insensitive for the attribute names
assert_equals(trustedTypes.getAttributeType('script', 'SRC'), 'TrustedScriptURL');
assert_equals(trustedTypes.getAttributeType('imG', 'srC'), 'TrustedURL');
// supports the inline event handlers
assert_equals(trustedTypes.getAttributeType('img', 'onerror'), 'TrustedScript');
@ -82,7 +78,6 @@
// Spot testing some values.
assert_equals(map["script"].attributes.src, "TrustedScriptURL");
assert_equals(map["img"].attributes.src, "TrustedURL");
assert_equals(map["*"].properties.innerHTML, "TrustedHTML");
assert_equals(map["foo"], undefined);

40
testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-isXXX.tentative.html
View File

@ -10,7 +10,6 @@
const noopPolicy = {
'createHTML': (s) => s,
'createScriptURL': (s) => s,
'createURL': (s) => s,
'createScript': (s) => s,
};
@ -65,23 +64,6 @@
assert_false(trustedTypes.isScriptURL(script3));
}, 'TrustedTypePolicyFactory.isScriptURL requires the object to be created via policy.');
// isURL tests
test(t => {
const p = trustedTypes.createPolicy('url', noopPolicy);
let url = p.createURL(INPUTS.URL);
assert_true(trustedTypes.isURL(url));
let url2 = Object.create(url);
// instanceof can pass, but we rely on isScript
assert_true(url2 instanceof TrustedURL);
assert_false(trustedTypes.isURL(url2));
let url3 = Object.assign({}, url, {toString: () => 'fake'});
assert_false(trustedTypes.isURL(url3));
}, 'TrustedTypePolicyFactory.isURL requires the object to be created via policy.');
// Test non-object parameters.
test(t => {
assert_false(trustedTypes.isHTML(null));
@ -94,11 +76,6 @@
assert_false(trustedTypes.isScript(0.5));
assert_false(trustedTypes.isScript('test'));
assert_false(trustedTypes.isScript({}));
assert_false(trustedTypes.isURL(null));
assert_false(trustedTypes.isURL(123));
assert_false(trustedTypes.isURL(0.5));
assert_false(trustedTypes.isURL('test'));
assert_false(trustedTypes.isURL({}));
assert_false(trustedTypes.isScriptURL(null));
assert_false(trustedTypes.isScriptURL(123));
assert_false(trustedTypes.isScriptURL(0.5));
@ -126,30 +103,19 @@
assert_false(trustedTypes.isScriptURL({}));
}, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined.');
test(t => {
try { trustedTypes.isURL = () => 'fake'; } catch { }
assert_false(trustedTypes.isURL({}));
}, 'TrustedTypePolicyFactory.isURL cannot be redefined.');
// Redefinition tests, via Object.defineProperty.
test(t => {
try { Object.defineProperty(TrustedTypes, 'isHTML', () => 'fake'); } catch { }
try { Object.defineProperty(trustedTypes, 'isHTML', () => 'fake'); } catch { }
assert_false(trustedTypes.isHTML({}));
}, 'TrustedTypePolicyFactory.IsHTML cannot be redefined via defineProperty.');
test(t => {
try { Object.defineProperty(TrustedTypes, 'isScript', () => 'fake'); } catch { }
try { Object.defineProperty(trustedTypes, 'isScript', () => 'fake'); } catch { }
assert_false(trustedTypes.isScript({}));
}, 'TrustedTypePolicyFactory.isScript cannot be redefined via definePropert.');
test(t => {
try { Object.defineProperty(TrustedTypes, 'isScriptURL', () => 'fake'); } catch { }
try { Object.defineProperty(trustedTypes, 'isScriptURL', () => 'fake'); } catch { }
assert_false(trustedTypes.isScriptURL({}));
}, 'TrustedTypePolicyFactory.isScriptURL cannot be redefined via definePropert.');
test(t => {
try { Object.defineProperty(TrustedTypes, 'isURL', () => 'fake'); } catch { }
assert_false(trustedTypes.isURL({}));
}, 'TrustedTypePolicyFactory.isURL cannot be redefined via definePropert.');
</script>

12
testing/web-platform/tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative.html
View File

@ -8,18 +8,15 @@
<body>
<div id="target"></div>
<script>
const policy = trustedTypes.createPolicy("anythinggoes", {
"createHTML": x => x,
"createScript": x => x,
"createURL": x => x,
"createScriptURL": x => x,
});
const create_value = {
"TrustedHTML": policy.createHTML("hello"),
"TrustedScript": policy.createScript("x => x + x"),
"TrustedURL": policy.createURL("https://url.invalid/"),
"TrustedScriptURL": policy.createScriptURL("https://url.invalid/blubb.js"),
null: "empty",
};
@ -34,8 +31,7 @@
// Also add several event handlers (onclick).
let elements = ['madeup', 'b'];
let properties = ['madeup', 'id', "onerror", "onclick"];
const types = [null, "TrustedHTML", "TrustedScript", "TrustedScriptURL",
"TrustedURL"];
const types = [null, "TrustedHTML", "TrustedScript", "TrustedScriptURL"];
// We'll wrap construction of the elements/properties list in a test, mainly
// so we'll get decent error messages when it might fail.
@ -112,6 +108,11 @@
// return and hence skip the result comparison.
case "outerHTML":
return;
// URL-typed accessors
case "src":
if (elem == "iframe")
return;
break;
// Properties starting with "on" are usually error handlers,
// which will parse their input as a function. In this case,
// also skip the result comparison.
@ -142,6 +143,5 @@
}
}
}
</script>
</body>

25
testing/web-platform/tests/trusted-types/Window-open.tentative.html
View File

@ -1,25 +0,0 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<body>
<script>
// helper functions for the tests
function testWindowOpen(t, win, testNumber) {
let p = createURL_policy(window, testNumber);
let url = p.createURL(INPUTS.URL);
let child_window = win.open(url, "", "");
child_window.onload = t.step_func_done(_ => {
assert_equals(child_window.location.href, "" + url);
child_window.close();
});
}
test(t => {
testWindowOpen(t, window, 1);
}, "window.open via policy (successful URL transformation).");
test(t => {
testWindowOpen(t, document, 2);
}, "document.open via policy (successful URL transformation).");
</script>

60
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
View File

@ -11,33 +11,6 @@
<script>
const nullPolicy = trustedTypes.createPolicy('NullPolicy', {createScript: s => s});
// TrustedURL Assignments
const URLTestCases = [
[ 'a', 'href' ],
[ 'area', 'href' ],
[ 'base', 'href' ],
[ 'button', 'formAction' ],
[ 'form', 'action' ],
[ 'frame', 'src' ],
[ 'iframe', 'src' ],
[ 'img', 'src' ],
[ 'input', 'formAction' ],
[ 'input', 'src' ],
[ 'link', 'href' ],
[ 'video', 'src' ],
[ 'source', 'src' ],
[ 'track', 'src' ]
];
URLTestCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_url_explicit_set(window, c, t, c[0], c[1], RESULTS.URL);
assert_throws_no_trusted_type_explicit_set(c[0], c[1], 'A string');
assert_throws_no_trusted_type_explicit_set(c[0], c[1], null);
assert_throws_no_trusted_type_explicit_set(c[0], c[1], nullPolicy.createScript('script'));
}, c[0] + "." + c[1] + " accepts only TrustedURL");
});
// TrustedScriptURL Assignments
const scriptURLTestCases = [
[ 'embed', 'src' ],
@ -83,24 +56,17 @@
});
test(t => {
let el = document.createElement('iframe');
let el = document.createElement('script');
assert_throws(new TypeError(), _ => {
el.setAttribute('SrC', INPUTS.URL);
});
assert_equals(el.src, '');
}, "`Element.prototype.setAttribute.SrC = string` throws.");
}, "`Script.prototype.setAttribute.SrC = string` throws.");
// After default policy creation string and null assignments implicitly call createXYZ
let p = window.trustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true);
URLTestCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_type(c[0], c[1], INPUTS.URL, RESULTS.URL);
assert_element_accepts_trusted_type(c[0], c[1], null, window.location.toString().replace(/[^\/]*$/, "null"));
}, c[0] + "." + c[1] + " accepts string and null after default policy was created.");
});
let p = window.trustedTypes.createPolicy("default", { createScriptURL: createScriptURLJS, createHTML: createHTMLJS, createScript: createScriptJS }, true);
scriptURLTestCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_type(c[0], c[1], INPUTS.SCRIPTURL, RESULTS.SCRIPTURL);
@ -123,10 +89,6 @@
});
// Other attributes can be assigned with TrustedTypes or strings or null values
test(t => {
assert_element_accepts_trusted_url_explicit_set(window, 'arel', t, 'a', 'rel', RESULTS.URL);
}, "a.rel assigned via policy (successful URL transformation)");
test(t => {
assert_element_accepts_non_trusted_type_explicit_set('a', 'rel', 'A string', 'A string');
}, "a.rel accepts strings");
@ -136,14 +98,14 @@
}, "a.rel accepts null");
test(t => {
let div = document.createElement('div');
let span = document.createElement('span');
let embed = document.createElement('embed');
let script = document.createElement('script');
div.setAttribute('src', INPUTS.URL);
let attr = div.getAttributeNode('src');
div.removeAttributeNode(attr);
span.setAttributeNode(attr);
embed.setAttribute('src', INPUTS.SCRIPTURL);
let attr = embed.getAttributeNode('src');
embed.removeAttributeNode(attr);
script.setAttributeNode(attr);
assert_equals(span.getAttribute('src'), INPUTS.URL);
}, "`span.src = setAttributeNode(div.src)` with string works.");
assert_equals(script.getAttribute('src'), RESULTS.SCRIPTURL);
}, "`script.src = setAttributeNode(embed.src)` with string works.");
</script>

78
testing/web-platform/tests/trusted-types/block-string-assignment-to-Element-setAttributeNS.tentative.html
View File

@ -21,10 +21,6 @@
assert_element_accepts_trusted_script_url_set_ns(window, '2', t, 'a', 'b', RESULTS.SCRIPTURL);
}, "Element.setAttributeNS assigned via policy (successful ScriptURL transformation)");
test(t => {
assert_element_accepts_trusted_url_set_ns(window, '3', t, 'a', 'b', RESULTS.URL);
}, "Element.setAttributeNS assigned via policy (successful URL transformation)");
// Unknown, namespaced attributes should not be TT checked:
test(t => {
assert_element_accepts_non_trusted_type_set_ns('a', 'b', 'A string', 'A string');
@ -35,84 +31,12 @@
}, "Element.setAttributeNS accepts null for non-specced accessor");
// Setup trusted values for use in subsequent tests.
const url = createURL_policy(window, '4').createURL(INPUTS.URL);
const script_url = createScriptURL_policy(window, '5').createScriptURL(INPUTS.ScriptURL);
const html = createHTML_policy(window, '6').createHTML(INPUTS.HTML);
const script = createScript_policy(window, '7').createScript(INPUTS.Script);
// SVG elements that use xlink:href (SVGURIReference) and that expect
// TrustedURL.
// There a number of affected elements, and there are several ways to set
// a namespaced attribute. Let's iterate over all combinations.
const xlink = "http://www.w3.org/1999/xlink";
const svg = "http://www.w3.org/2000/svg";
const elems = [ "a", "animate", "animateMotion", "animateTransform",
"discard", "feImage", "filter", "image", "linearGradient",
"mpath", "pattern", "radialGradient", "set", "textPath",
"use" ];
// There are multiple ways to set a namespaced attribute. Let's encapsulate
// each in a function.
const variants = {
"setAttributeNS with prefix": (element_name, value) => {
let elem = document.createElementNS(svg, element_name);
elem.setAttributeNS(xlink, "xlink:href", value);
return elem;
},
"setAttributeNS without prefix": (element_name, value) => {
let elem = document.createElementNS(svg, element_name);
elem.setAttributeNS(xlink, "href", value);
return elem;
},
"setAttribute with prefix": (element_name, value) => {
let elem = document.createElementNS(svg, element_name);
// Create the namespaced attribute with setAttributeNS. Then refer
// to it with the prefix in setAttribute. This test will break
// if either setAttributeNS or setAttribtue functionality it broken.
elem.setAttributeNS(xlink, "xlink:href", url);
elem.setAttribute("xlink:href", value);
return elem;
}
};
for (const e of elems) {
for (const variant in variants) {
// Assigning a TrustedURL works.
test(t => {
let elem = variants[variant](e, url);
assert_equals("" + RESULTS.URL,
elem.getAttributeNodeNS(xlink, "href").value);
}, "Assigning TrustedURL to <svg:" + e + "> works via " + variant);
// Assigning things that ought to not work.
const values = ["abc", null, script_url, html, script];
values.forEach((value, index) => {
test(t => {
assert_throws(new TypeError(), _ => { variants[variant](e, value); });
}, "Blocking non-TrustedURL assignment to <svg:" + e + "> via " +
variant + " value no " + index);
});
}
}
// Test 'synchronization' of 'xlink:href'.
test(t => {
// ..setAttribute("xlink:href") will behave differently, depending on
// whether the element already has an attribute by that name. Make sure
// that Trusted Type handling respects that difference.
// Case 1: "xlink:href" on an empty element: This is an unknown attribute
// not processed by SVG, and string assignment should work.
let elem1 = document.createElementNS(svg, "a");
elem1.setAttribute("xlink:href", "abc");
// Case 2: "xlink:href", after a namespaced attribute has been set: Now
// this mirrors the SVG attribute, and string assignment should fail.
let elem2 = document.createElementNS(svg, "a");
elem2.setAttributeNS(xlink, "xlink:href", url);
assert_throws(new TypeError(), _ => {
elem2.setAttribute("xlink:href", "abc");
});
}, "Test synchronized, namespaced attributes.");
// svg:script xlink:href=... expects a TrustedScriptURL.
// Assigning a TrustedScriptURL works.
@ -126,7 +50,7 @@
// Assigning things that ought to not work.
test(t => {
let elem = document.createElementNS(svg, "script");
const values = [ "abc", null, url, html, script ];
const values = [ "abc", null, html, script ];
for (const v of values) {
assert_throws(new TypeError(), _ => {
elem.setAttributeNS(xlink, "href", v);

35
testing/web-platform/tests/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html
View File

@ -10,32 +10,6 @@
<body>
<script>
var testnb = 0;
// TrustedURL Assignments
const URLTestCases = [
[ 'a', 'href' ],
[ 'area', 'href' ],
[ 'base', 'href' ],
[ 'button', 'formAction' ],
[ 'form', 'action' ],
[ 'frame', 'src' ],
[ 'iframe', 'src' ],
[ 'img', 'src' ],
[ 'input', 'formAction' ],
[ 'input', 'src' ],
[ 'link', 'href' ],
[ 'video', 'src' ],
[ 'source', 'src' ],
[ 'track', 'src' ]
];
URLTestCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_url(window, ++testnb, t, c[0], c[1], RESULTS.URL);
assert_throws_no_trusted_type(c[0], c[1], 'A string');
assert_throws_no_trusted_type(c[0], c[1], null);
}, c[0] + "." + c[1] + " accepts only TrustedURL");
});
// TrustedScriptURL Assignments
const scriptURLTestCases = [
[ 'embed', 'src' ],
@ -69,14 +43,7 @@
});
// After default policy creation string and null assignments implicitly call createHTML
let p = window.trustedTypes.createPolicy("default", { createURL: createURLJS, createScriptURL: createScriptURLJS, createHTML: createHTMLJS }, true);
URLTestCases.forEach(c => {
test(t => {
assert_element_accepts_trusted_type(c[0], c[1], INPUTS.URL, RESULTS.URL);
assert_element_accepts_trusted_type(c[0], c[1], null, window.location.toString().replace(/[^\/]*$/, "null"));
}, c[0] + "." + c[1] + " accepts string and null after default policy was created");
});
let p = window.trustedTypes.createPolicy("default", { createScriptURL: createScriptURLJS, createHTML: createHTMLJS }, true);
scriptURLTestCases.forEach(c => {
test(t => {

53
testing/web-platform/tests/trusted-types/block-string-assignment-to-Location-assign.tentative.html
View File

@ -1,53 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<meta http-equiv="Content-Security-Policy" content="trusted-types *">
</head>
<body>
<script>
// TrustedURL assignments do not throw.
test(t => {
let p = createURL_policy(window, 1);
let url = p.createURL(location.href + "#xxx");
location.assign(url);
assert_equals("" + url, location.href, "location href");
}, "location.assign via policy (successful URL transformation).");
// String assignments throw.
test(t => {
let href = location.href;
assert_throws(new TypeError(), _ => {
location.assign("A string");
});
assert_equals(location.href, href);
}, "`location.assign = string` throws");
// Null assignment throws.
test(t => {
let href = location.href;
assert_throws(new TypeError(), _ => {
location.assign(null);
});
assert_equals(location.href, href);
}, "`location.assign = null` throws");
// Create default policy. Applies to all subsequent tests.
let p = window.trustedTypes.createPolicy("default",
{ createURL: createLocationURLJS }, true);
// After default policy creation string assignment implicitly calls createURL.
test(t => {
location.assign("abcdefg");
assert_true(location.href.endsWith("#abcdefg"));
}, "`location.assign = string` via default policy (successful URL transformation).");
// After default policy creation null assignment implicitly calls createURL.
test(t => {
location.assign(null);
assert_true(location.href.endsWith("#null"));
}, "`location.assign = null` via default policy does not throw.");
</script>

53
testing/web-platform/tests/trusted-types/block-string-assignment-to-Location-href.tentative.html
View File

@ -1,53 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<meta http-equiv="Content-Security-Policy" content="trusted-types *">
</head>
<body>
<script>
// TrustedURL assignments do not throw.
test(t => {
let p = createURL_policy(window, 1);
let url = p.createURL(location.href + "#xxx");
location.href = url;
assert_equals("" + url, location.href, "location href");
}, "location.href assigned via policy (successful URL transformation).");
// String assignments throw.
test(t => {
let href = location.href;
assert_throws(new TypeError(), _ => {
location.href = 'A string';
});
assert_equals(location.href, href);
}, "`location.href = string` throws");
// Null assignment throws.
test(t => {
let href = location.href;
assert_throws(new TypeError(), _ => {
location.href = null;
});
assert_equals(location.href, href);
}, "`location.href = null` throws");
// Create default policy. Applies to all subsequent tests.
let p = window.trustedTypes.createPolicy("default",
{ createURL: createLocationURLJS }, true);
// After default policy creation string assignment implicitly calls createURL.
test(t => {
location.href = "xxxx";
assert_true(location.href.endsWith("#xxxx"));
}, "`location.href = string` via default policy (successful URL transformation).");
// After default policy creation null assignment implicitly calls createURL.
test(t => {
location.href = null;
assert_true(location.href.endsWith("#null"));
}, "`location.href = null` assigned via default policy does not throw.");
</script>

53
testing/web-platform/tests/trusted-types/block-string-assignment-to-Location-replace.tentative.html
View File

@ -1,53 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<meta http-equiv="Content-Security-Policy" content="trusted-types *">
</head>
<body>
<script>
// TrustedURL replacements do not throw.
test(t => {
let p = createURL_policy(window, 1);
let url = p.createURL(location.href + "#xxx");
location.replace(url);
assert_equals("" + url, location.href, "location href");
}, "location.replace via policy (successful URL transformation).");
// String replacements throw.
test(t => {
let href = location.href;
assert_throws(new TypeError(), _ => {
location.replace("A string");
});
assert_equals(location.href, href);
}, "`location.replace = string` throws");
// Null replacement throws.
test(t => {
let href = location.href;
assert_throws(new TypeError(), _ => {
location.replace(null);
});
assert_equals(location.href, href);
}, "`location.replace = null` throws");
// Create default policy. Applies to all subsequent tests.
let p = window.trustedTypes.createPolicy("default",
{ createURL: createLocationURLJS }, true);
// After default policy creation string assignment implicitly calls createURL.
test(t => {
location.replace("potato");
assert_true(location.href.endsWith("#potato"));
}, "`location.replace = string` via default policy (successful URL transformation).");
// After default policy creation null assignment implicitly calls createURL.
test(t => {
location.replace(null);
assert_true(location.href.endsWith("#null"));
}, "`location.replace = null` via default policy (successful URL transformation).");
</script>

85
testing/web-platform/tests/trusted-types/block-string-assignment-to-Window-open.tentative.html
View File

@ -1,85 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
<meta http-equiv="Content-Security-Policy" content="trusted-types *">
</head>
<body>
<script>
var testnb = 0;
// helper functions for the tests
function testWindowOpen(t, win, nb) {
let p = createURL_policy(window, nb);
let url = p.createURL(INPUTS.URL);
let child_window = win.open(url, "", "");
t.add_cleanup(_ => child_window.close());
child_window.onload = t.step_func_done(_ => {
assert_equals(child_window.location.href, "" + url);
});
}
function testWindowThrows(t, url, win, nb) {
let p = createURL_policy(window, nb);
assert_throws(new TypeError(), _ => {
let child_window = win.open(url, "", "");
});
}
function testWindowDoesntThrow(t, url, expected, win) {
let child_window = win.open(url, "", "");
t.add_cleanup(_ => child_window.close());
child_window.onload = t.step_func_done(_ => {
assert_equals(child_window.location.href, expected);
});
}
// TrustedURL assignments do not throw.
test(t => {
testWindowOpen(t, window, ++testnb);
}, "window.open via policy (successful URL transformation).");
test(t => {
testWindowOpen(t, document, ++testnb);
}, "document.open via policy (successful URL transformation).");
// String assignments throw.
test(t => {
testWindowThrows(t, 'A string', window, ++testnb);
}, "`window.open(string)` throws.");
test(t => {
testWindowThrows(t, 'A string', document, ++testnb);
}, "`document.open(string)` throws.");
// Null assignment throws.
test(t => {
testWindowThrows(t, null, window, ++testnb);
}, "`window.open(null)` throws.");
test(t => {
testWindowThrows(t, null, document, ++testnb);
}, "`document.open(null)` throws.");
// After default policy creation string assignment implicitly calls createURL.
let p = window.trustedTypes.createPolicy("default", { createURL: createURLJS }, true);
test(t => {
testWindowDoesntThrow(t, INPUTS.URL, RESULTS.URL, window);
}, "'window.open(string)' assigned via default policy (successful URL transformation).");
test(t => {
testWindowDoesntThrow(t, INPUTS.URL, RESULTS.URL, document);
}, "'document.open(string)' assigned via default policy (successful URL transformation).");
test(t => {
testWindowDoesntThrow(t, null, "null", window);
}, "'window.open(null)' assigned via default policy does not throw.");
test(t => {
testWindowDoesntThrow(t, null, "null", document);
}, "'document.open(null)' assigned via default policy does not throw.");
</script>
</body>
</html>

4
testing/web-platform/tests/trusted-types/default-policy-report-only.tentative.html
View File

@ -39,7 +39,6 @@ promise_test(t => {
}, "Count SecurityPolicyViolation events.");
const testCases = [
[ "a", "href"],
[ "script", "src" ],
[ "div", "innerHTML" ],
[ "script", "text" ],
@ -71,7 +70,6 @@ function policy(str) {
}
trustedTypes.createPolicy("default", {
createURL: policy,
createScriptURL: policy,
createHTML: policy,
createScript: policy
@ -105,6 +103,6 @@ testCases.forEach(c => {
});
// Trigger the exit condition in the "Count" promise test above.
try { document.createElement("a").href = "done"; } catch (e) {}
try { document.createElement("script").text = "done"; } catch (e) {}
</script>
</body>

4
testing/web-platform/tests/trusted-types/default-policy.tentative.html
View File

@ -39,7 +39,6 @@ promise_test(t => {
}, "Count SecurityPolicyViolation events.");
const testCases = [
[ "a", "href"],
[ "script", "src" ],
[ "div", "innerHTML" ],
[ "script", "text" ],
@ -71,7 +70,6 @@ function policy(str) {
}
trustedTypes.createPolicy("default", {
createURL: policy,
createScriptURL: policy,
createHTML: policy,
createScript: policy
@ -105,6 +103,6 @@ testCases.forEach(c => {
});
// Trigger the exit condition in the "Count" promise test above.
try { document.createElement("a").href = "done"; } catch (e) {}
try { document.createElement("script").text = "done"; } catch (e) {}
</script>
</body>

1
testing/web-platform/tests/trusted-types/idlharness.window.js
View File

@ -11,7 +11,6 @@ idl_test(
TrustedHTML: ['window.trustedTypes.createPolicy("SomeName1", { createHTML: s => s }).createHTML("A string")'],
TrustedScript: ['window.trustedTypes.createPolicy("SomeName2", { createScript: s => s }).createScript("A string")'],
TrustedScriptURL: ['window.trustedTypes.createPolicy("SomeName3", { createScriptURL: s => s }).createScriptURL("A string")'],
TrustedURL: ['window.trustedTypes.createPolicy("SomeName4", { createURL: s => s }).createURL("A string")']
});
},
'Trusted Types'

37
testing/web-platform/tests/trusted-types/support/helper.sub.js
View File

@ -2,14 +2,12 @@ const INPUTS = {
HTML: "Hi, I want to be transformed!",
SCRIPT: "Hi, I want to be transformed!",
SCRIPTURL: "http://this.is.a.scripturl.test/",
URL: "http://hello.i.am.an.url/"
};
const RESULTS = {
HTML: "Quack, I want to be a duck!",
SCRIPT: "Meow, I want to be a cat!",
SCRIPTURL: "http://this.is.a.successful.test/",
URL: "http://hooray.i.am.successfully.transformed/"
};
function createHTMLJS(html) {
@ -26,19 +24,6 @@ function createScriptURLJS(scripturl) {
return scripturl.replace("scripturl", "successful");
}
function createURLJS(url) {
return url.replace("hello", "hooray")
.replace("an.url", "successfully.transformed");
}
// When testing location.href (& friends), we have the problem that assigning
// to the new location will navigate away from the test. To fix this, we'll
// have a policy that will just stick the argument into the fragment identifier
// of the current location.href.
function createLocationURLJS(value) {
return location.href.replace(/#.*/g, "") + "#" + value;
}
function createHTML_policy(win, c) {
return win.trustedTypes.createPolicy('SomeHTMLPolicyName' + c, { createHTML: createHTMLJS });
}
@ -51,10 +36,6 @@ function createScriptURL_policy(win, c) {
return win.trustedTypes.createPolicy('SomeScriptURLPolicyName' + c, { createScriptURL: createScriptURLJS });
}
function createURL_policy(win, c) {
return win.trustedTypes.createPolicy('SomeURLPolicyName' + c, { createURL: createURLJS });
}
function assert_element_accepts_trusted_html(win, c, t, tag, attribute, expected) {
let p = createHTML_policy(win, c);
let html = p.createHTML(INPUTS.HTML);
@ -73,12 +54,6 @@ function assert_element_accepts_trusted_script_url(win, c, t, tag, attribute, ex
assert_element_accepts_trusted_type(tag, attribute, scripturl, expected);
}
function assert_element_accepts_trusted_url(win, c, t, tag, attribute, expected) {
let p = createURL_policy(win, c);
let url = p.createURL(INPUTS.URL);
assert_element_accepts_trusted_type(tag, attribute, url, expected);
}
function assert_element_accepts_trusted_type(tag, attribute, value, expected) {
let elem = document.createElement(tag);
elem[attribute] = value;
@ -112,12 +87,6 @@ function assert_element_accepts_trusted_script_url_explicit_set(win, c, t, tag,
assert_element_accepts_trusted_type_explicit_set(tag, attribute, scripturl, expected);
}
function assert_element_accepts_trusted_url_explicit_set(win, c, t, tag, attribute, expected) {
let p = createURL_policy(win, c);
let url = p.createURL(INPUTS.URL);
assert_element_accepts_trusted_type_explicit_set(tag, attribute, url, expected);
}
function assert_element_accepts_trusted_type_explicit_set(tag, attribute, value, expected) {
let elem = document.createElement(tag);
elem.setAttribute(attribute, value);
@ -163,12 +132,6 @@ function assert_element_accepts_trusted_script_url_set_ns(win, c, t, tag, attrib
assert_element_accepts_trusted_type_set_ns(tag, attribute, scripturl, expected);
}
function assert_element_accepts_trusted_url_set_ns(win, c, t, tag, attribute, expected) {
let p = createURL_policy(win, c);
let url = p.createURL(INPUTS.URL);
assert_element_accepts_trusted_type_set_ns(tag, attribute, url, expected);
}
function assert_element_accepts_trusted_type_set_ns(tag, attribute, value, expected) {
let elem = document.createElement(tag);
elem.setAttributeNS(namespace, attribute, value);

19
testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
View File

@ -7,14 +7,14 @@
<body>
<!-- Some elements for the tests to act on. -->
<a id="anchor" href="#">anchor</a>
<div id="div"></div>
<script id="script-src" src=""></script>
<script id="script"></script>
<script id="script2"></script>
<script>
// CSP insists the "trusted-types: ..." directives are deliverd as headers
// (rather than as "<meta http-equiv" tags). This test assumes the following
// (rather than as "meta http-equiv" tags). This test assumes the following
// headers are set in the .headers file:
//
// Content-Security-Policy-Report-Only: trusted-types ...; report-uri ...
@ -39,17 +39,16 @@
const policy = trustedTypes.createPolicy("two", {
createHTML: id,
createScriptURL: id,
createURL: id,
createScript: id,
});
/*
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("anchor").href = "#abc";
assert_true(document.getElementById("anchor").href.endsWith("#abc"));
document.getElementById("script").src = "#abc";
assert_true(document.getElementById("script").src.endsWith("#abc"));
return p;
}, "Trusted Type violation report-only: assign string to url");
}, "Trusted Type violation report-only: assign string to script url");
*/
promise_test(t => {
let p = expect_violation("trusted-types two");
@ -74,7 +73,7 @@
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("anchor").href = "#def";
document.getElementById("script").src = "#def";
return p.then(report => {
assert_equals(report.documentURI, "" + window.location);
assert_equals(report.disposition, "report");
@ -83,7 +82,5 @@
assert_true(report.originalPolicy.startsWith("trusted-types two;"));
});
}, "Trusted Type violation report: check report contents");
</script>
</body>

27
testing/web-platform/tests/trusted-types/trusted-types-reporting.tentative.https.html
View File

@ -77,7 +77,6 @@
const a_policy = {
createHTML: id,
createScriptURL: id,
createURL: id,
createScript: id,
};
@ -127,9 +126,9 @@
promise_test(t => {
let p = promise_violation("trusted-types two")();
expect_throws(_ => document.getElementById("anchor").href = url);
expect_throws(_ => document.getElementById("script").src = url);
return p;
}, "Trusted Type violation report: assign string to url");
}, "Trusted Type violation report: assign string to script url");
promise_test(t => {
let p = promise_violation("trusted-types two")();
@ -139,10 +138,10 @@
promise_test(t => {
let p = promise_flush()();
document.getElementById("anchor").href = policy_one.createURL("#");
document.getElementById("script").text = policy_one.createScript("2+2;");
flush();
return p;
}, "Trusted Type violation report: assign trusted URL to url; no report");
}, "Trusted Type violation report: assign trusted script to script; no report");
promise_test(t => {
let p = promise_flush()();
@ -165,10 +164,10 @@
let p = Promise.resolve()
.then(promise_violation("trusted-types two"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLAnchorElement.href"));
expect_throws(_ => { document.getElementById("anchor").href = "" });
.then(expect_sample("HTMLScriptElement.src"));
expect_throws(_ => { document.getElementById("script").src = "" });
return p;
}, "Trusted Type violation report: sample for .href assignment");
}, "Trusted Type violation report: sample for script.src assignment");
promise_test(t => {
let p = Promise.resolve()
@ -210,24 +209,24 @@
// refer to the DOM elements being modified, so that Custom Elements cannot
// "mask" the underlying DOM mechanism (for reporting).
if (customElements) {
class CustomLink extends HTMLAnchorElement {};
customElements.define("custom-link", CustomLink, { extends: "a" });
class CustomScript extends HTMLScriptElement {};
customElements.define("custom-script", CustomScript, { extends: "script" });
promise_test(t => {
let p = Promise.resolve()
.then(promise_violation("trusted-types one"))
.then(expect_blocked_uri("trusted-types-sink"))
.then(expect_sample("HTMLAnchorElement.href"))
.then(expect_sample("HTMLScriptElement.src"))
.then(expect_sample("abc"));
expect_throws(_ => document.getElementById("customlink").href = "abc");
expect_throws(_ => document.getElementById("customscript").src = "abc");
return p;
}, "Trusted Type violation report: sample for custom element assignment");
}
</script>
<!-- Some elements for the tests to act on. -->
<a id="anchor" href="">anchor</a>
<div id="div"></div>
<script id="script"></script>
<a id="customlink" is="custom-link" href="a"></a>
<script id="customscript" is="custom-script" src="a"></script>
</body>