Bug 287158
| Summary: | It is possible to have the same Attr node in multiple Elements with Trusted Types default policy | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Luke Warlow <lwarlow> |
| Component: | DOM | Assignee: | Luke Warlow <lwarlow> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://github.com/web-platform-tests/wpt/pull/50532 | ||
| Bug Depends on: | |||
| Bug Blocks: | 266630 | ||
Luke Warlow
```
<!DOCTYPE html>
<html> <head> <meta charset="utf-8"> <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'"> </head> <body> <h3 id="log"></h3> <script>
var attr = document.createAttribute("onclick");
attr.value = "1+1;";
var gotCreateScript = false;
trustedTypes.createPolicy("default", {
createScript: function(val) {
if (gotCreateScript) {
// We move the Attr node only the first time this is called.
return val;
}
gotCreateScript = true;
document.documentElement.setAttributeNode(attr);
return val;
},
});
document.body.setAttributeNode(attr);
document.getElementById("log").textContent =
"Does html and body element have the same Attr node in their attributes list: " +
(document.documentElement.attributes[0] === document.body.attributes[0]);
</script> </body> </html>
```
By using trusted types callbacks it is possible to move Attr node to another element while it is still being set on the original element. Some discussion also in https://github.com/whatwg/dom/pull/1268
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Luke Warlow
Pull request: https://github.com/WebKit/WebKit/pull/40127
Radar WebKit Bug Importer
<rdar://problem/144789108>
EWS
Committed 290543@main (4dad722e68b5): <https://commits.webkit.org/290543@main>
Reviewed commits have been landed. Closing PR #40127 and removing active labels.