Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update IDL for script enforcement #484

Merged
merged 4 commits into from
Apr 23, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 65 additions & 17 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,12 @@ spec:ECMA-262; urlPrefix: https://tc39.github.io/ecma262/
type:dfn; text:current realm record; url: current-realm
spec: HTML; urlPrefix: https://html.spec.whatwg.org/
type: dfn; text: prepare the script element; url: prepare-the-script-element
type: dfn; text: get the text steps; url: get-the-text-steps
type: dfn; text: set the inner text steps; url: set-the-inner-text-steps
type: dfn; text: src; url: attr-script-src
spec:DOM; urlPrefix: https://dom.spec.whatwg.org/
type: dfn; text: get text content; url: get-text-content
type: dfn; text: set text content; url: set-text-content
</pre>

<pre class="link-defaults">
Expand Down Expand Up @@ -1137,36 +1143,78 @@ type policy factory]].

### Enforcement for scripts ### {#enforcement-in-scripts}

This document modifies how {{HTMLScriptElement}} [=child text content=] can be set to allow applications to control dynamically created scripts. It does so by
adding the {{HTMLElement/innerText}} and {{Node/textContent}} attributes directly on {{HTMLScriptElement}}. The behavior of the attributes remains the same
as in their original counterparts, apart from the additional behavior of calling [$Get Trusted Type compliant string$].

Note: Using these IDL attributes is the recommended way of dynamically setting the URL or a text of a script. Manipulating attribute nodes or text nodes directly will call a default policy on the final value when the script is prepared.

<pre class="idl exclude">
partial interface HTMLScriptElement {
[CEReactions] attribute ([LegacyNullToEmptyString] DOMString or TrustedScript) innerText;
[CEReactions] attribute (DOMString or TrustedScript)? textContent;
[CEReactions] attribute (USVString or TrustedScriptURL) src;
[CEReactions] attribute (DOMString or TrustedScript) text;
};
</pre>

#### Slots with trusted values #### {#slots-with-trusted-values}

This document modifies {{HTMLScriptElement}}s. Each script has:

: an associated string <dfn export for="HTMLScriptElement">script text</dfn>.
:: A string, containing the body of the script to execute that was set
through a {{StringContext}} compliant sink. Equivalent to script's
through a compliant sink. Equivalent to script's
[=child text content=]. Initially an empty string.

#### Setting slot values #### {#setting-slot-values}
#### The {{HTMLScriptElement/innerText}} IDL attribute #### {#the-innerText-idl-attribute}

This document modifies how {{HTMLScriptElement}} [=child text content=] can be set to allow applications to control dynamically created scripts. It does so by
adding the {{HTMLElement/innerText}} and {{Node/textContent}} attributes directly on {{HTMLScriptElement}}. The behavior of the attributes remains the same
as in their original counterparts, apart from additional behavior triggered by the {{StringContext}} extended attribute presence.
The {{HTMLScriptElement/innerText}} setter steps are:

Note: Using these IDL attributes is the recommended way of dynamically setting URL or a text of a script. Manipulating attribute nodes or text nodes directly will call a default policy on the final value when the script is prepared.
1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement innerText`, and
`script`.
1. Set [=this=]'s [=script text=] value to |value|.
1. Run [=set the inner text steps=] with [=this=] and |value|.

<pre class="idl exclude">
partial interface HTMLScriptElement {
[CEReactions] attribute [LegacyNullToEmptyString] ScriptString innerText;
[CEReactions] attribute ScriptString? textContent;
[CEReactions] attribute ScriptURLString src;
[CEReactions] attribute ScriptString text;
};
</pre>
The {{HTMLScriptElement/innerText}} getter steps are:

1. Return the result of running [=get the text steps=] with [=this=].

#### The {{HTMLScriptElement/textContent}} IDL attribute #### {#the-textContent-idl-attribute}

The {{HTMLScriptElement/textContent}} setter steps are to, if the given value is null, act as if it was the
empty string instead, and then do as described below:

1. Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement textContent`, and
`script`.
1. Set [=this=]'s [=script text=] value to |value|.
1. Run [=set text content=] with [=this=] and |value|.

The {{HTMLScriptElement/textContent}} getter steps are:

1. Return the result of running [=get text content=] with [=this=].

#### The {{HTMLScriptElement/text}} IDL attribute #### {#the-text-idl-attribute}

Update the {{HTMLScriptElement/text}} setter steps algorithm as follows.

1. <ins>Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScript}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement text`, and
`script`.</ins>
1. <ins>Set [=this=]'s [=script text=] value to the given value.</ins>
1. [=String replace all=] with the given value within [=this=].


#### The {{HTMLScriptElement/src}} IDL attribute #### {#the-src-idl-attribute}

On setting the {{HTMLElement/innerText}}, {{Node/textContent}} and {{HTMLScriptElement/text}} IDL attributes execute the following algorithm:
The {{HTMLScriptElement/src}} setter steps are:

1. Set [=script text=] value to the stringified attribute value.
1. Perform the usual attribute setter steps.
1. <ins>Let |value| be the result of calling [$Get Trusted Type compliant string$] with
{{TrustedScriptURL}}, [=this=]'s [=relevant global object=], the given value, `HTMLScriptElement src`, and
`script`.</ins>
1. <ins>Set [=this=]'s [=src=] content attribute to |value|.</ins>

#### Slot value verification #### {#slot-value-verification}

Expand Down
Loading