Trusted types attributes

[lukewarlow]

This calls the get Trusted Types-compliant attribute value algorithm from Trusted Types (w3c/trusted-types#418) from attribute's change, append, and replace.

Changed the signature of setAttribute and setAttributeNS to accept Trusted Types as values. The underlying Attr node's values continue to be DOMString, so moving nodes across elements or adding standalone attributes to elements can cause TT violations. This matches WPT tests and the Chromium's implementation.

See and #789. Supercedes #809 and #1247

• At least two implementers are interested (and none opposed):
  • Chromium
  • Gecko
• Tests are written and can be reviewed and commented upon at:
  • https://github.com/web-platform-tests/wpt/tree/master/trusted-types
• Implementation bugs are filed:
  • Chromium:https://bugs.chromium.org/p/chromium/issues/detail?id=739170
  • Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1508286
  • WebKit: https://bugs.webkit.org/show_bug.cgi?id=266630
• MDN issue is filed: …
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

---

Preview | Diff

[lukewarlow]

This is a clone of #1247 where I will finish any outstanding work to get this across the line

[lukewarlow]

See also #1258 which is another integration point with the DOM spec that we need for TT.

[otherdaniel]

I still find it difficult to wrap my head around this logic. I think conceptually, we want to have the old value -- from before the call, and thus before a default policy might have mucked with it. That's what should go into the change attribute logic. But once we have that, I'm not sure why we'd need to throw an exception here. I'm not sure why we'd have to care whether the default policy does anything funny with the attribute in the mean time.

[lukewarlow]

I've read through this spec path and I believe that, if the default policy removes the existing attribute node, then this will call replace an attribute, which in turn calls replace a list item, which results in a no-op because the old value no longer exists to be replaced.

So I think in this situation you're probably right the spec doesn't need to do anything, will make that change.

[lukewarlow]

Having said that I'm slightly uneasy about stuff like attribute change steps still firing and how that all works spec wise.

Both Chromium and WebKit don't actually follow the spec 100% here and so I think would actually result in a different behaviour to this spec (the index lookup happens after the TT call) so that's also not ideal.

[lukewarlow]

I think I've addressed all the comments from #1247.

I do want to point out Chrome and WebKit don't (or at least not in a way obvious to me) 100% follow the flow of the spec and as a result this may result in differences specifically in weird cases with attribute mutation.

So that bit especially it would be good to get feedback on.

It's also worth being aware that like Chromium's implementation this spec means that certain ways to update a nodes value don't work with a trusted type object as a user might expect. (e.g. iframe.getAttributeNode('srcdoc').value = trustedHTMLObj; will throw unless allowed by a default policy). I think in pratice this will be fine, and in some cases is the only real option we have without nodes keeping track of whether they're trusted or not (which would add lots of complexity)

[annevk]

This change is either incomplete or makes many cosmetic changes that would be best proposed separately as they confuse me quite a bit.

[lukewarlow]

This change is either incomplete or makes many cosmetic changes that would be best proposed separately as they confuse me quite a bit.

Apologies I thought I'd reverted all of these changes but I missed a few, it's because I changed stuff and then changed it back and this led to some wonky diffs. Have hopefully reverted all of these unnecessary changes

[annevk]

Should this be value or attribute's value? They can be different, right?

[lukewarlow]

@otherdaniel, @annevk , and @smaug---- regarding the case where the default policy changes assumptions about the existence of an attribute mid-way through what would you prefer the spec say to do? Currently I've specced to throw, but Chromium currently re-looks up the index (spec doesn't explicitly work on an index basis but Chromium and WebKit do)

[annevk]

Attributes are stored in a list and those do have indices per Infra. What am I missing?

[lukewarlow]

Sorry I mean algorithmically the spec and implementations don't follow the same flow. So it's trickier to reason between the spec and implementation. This might just be my lack of familiarity with these APIs too.

[annevk]

The path of least resistance is prolly matching Chromium. Introducing new paths that throw is always risky. If you are looking for guidance as to how, I'd need quite a bit more context to provide helpful suggestions.

[lukewarlow]

I've pushed up the change to "set an attribute", and to "set an existing attribute value".

I'm looking into the setAttribute methods now.

Attr.value/.nodeValue/.textContent should do validation (if there is element) too before modifying the value.
(chromium and webkit seem to do something else, assuming I'm reading the code correctly)

WebKit at least calls element->setAttribute so the TT check happens slightly later and this can lead to the logic running on the wrong element.

I've updated the spec to make it clearer what should happen here. I believe this is slightly different to Firefox's recently implementation so will need test changes.

Element.setAttribute/Element.setAttributeNS in the PR needs some tweaking too. Implementations don't necessarily create Attr nodes when those APIs are used, but if they do, what happens if TT callback moves the Attr away. As fred-wang mentioned earlier, implementations already just create a new attribute on the element.

I'll investigate what Firefox is doing here and see what the best approach to take is. Generally it seems we want to move TT earlier in the process if possible so I'll try to achieve that.

Perhaps we can move step 6 higher up, but it would have to be after step 3 at the earliest.

[annevk]

I did a quick editorial review. Please double check the comments throughout as some apply several times.

[annevk]

Suggested change

	<li><p>Let <var>verifiedValue</var> be the result of calling <a>verify attribute value</a>
	<var>attr</var>'s <a for=Attr>value</a> for <var>attr</var>, with <var>element</var>.
	<li><p>Let <var>verifiedValue</var> be the result of <a>verifying attribute value</a> given
	<var>attr</var>'s <a for=Attr>value</a>, <var>attr</var>, and <var>element</var>.

However, this doesn't match the signature above. What gives?

[lukewarlow]

I've updated this and the signature to hopefully be clearer. I think it does match the signature it was just written rather poorly. I've changed the signature to a more convetional one and updated the call sites accordingly.

[annevk]

No newlines in phrasing level elements.

[lukewarlow]

I think I've addressed all of these, will check the github diff to make sure

[annevk]

No wrapping in phrasing-level elements.

[annevk]

then set

[annevk]

No wrapping in phrasing

[annevk]

"result of verifying an attribute" is nicer. And it should work with Bikeshed.

[annevk]

"result of verifying an attribute value"

[annevk]

"result of verifying"