Implement trusted types integrations with DOM attribute APIs.

https://bugs.webkit.org/show_bug.cgi?id=270436

Reviewed by NOBODY (OOPS!).

Implement the spec updates at whatwg/dom#1247

It also removes some expectations in GTK as the results should be
in line with the general expectation file.

* LayoutTests/TestExpectations:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/GlobalEventHandlers-onclick-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-Element-setAttribute-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-Element-setAttributeNS-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/trusted-types-event-handlers-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/trusted-types-event-handlers.html:
* LayoutTests/imported/w3c/web-platform-tests/trusted-types/trusted-types-svg-script-set-href-expected.txt:
* LayoutTests/platform/gtk/TestExpectations:
* Source/WebCore/dom/Element.cpp:
(WebCore::trustedTypesCompliantAttributeValue):
(WebCore::Element::validateAttributeIndex const):
(WebCore::Element::toggleAttribute):
(WebCore::Element::setAttribute):
(WebCore::Element::setElementsArrayAttribute):
(WebCore::appendAttributes):
(WebCore::Element::setAttributeNode):
(WebCore::Element::setAttributeNodeNS):
(WebCore::Element::setAttributeNS):
* Source/WebCore/dom/Element.h:
* Source/WebCore/dom/Element.idl:
* Source/WebCore/dom/TrustedScript.h:
* Source/WebCore/dom/TrustedScriptURL.h:
(WebCore::TrustedScriptURL::toString const): Deleted.
(WebCore::TrustedScriptURL::toJSON const): Deleted.
* Source/WebCore/dom/TrustedType.cpp:
(WebCore::stringToTrustedType):
(WebCore::trustedTypeForAttribute):
* Source/WebCore/dom/TrustedType.h:
* Source/WebCore/dom/TrustedTypePolicyFactory.cpp:
(WebCore::TrustedTypePolicyFactory::getAttributeType const):
* Source/WebKit/WebProcess/InjectedBundle/API/mac/WKDOMElement.mm:
(-[WKDOMElement setAttribute:value:]):
* Source/WebKitLegacy/mac/DOM/DOMElement.mm:
(-[DOMElement setAttribute:value:]):
(-[DOMElement setAttributeNS:qualifiedName:value:]):

Author: ziransun

LayoutTests/TestExpectations

@@ -5483,13 +5483,14 @@ webkit.org/b/261849 imported/w3c/web-platform-tests/css/css-scroll-anchoring/zer
 webkit.org/b/261849 imported/w3c/web-platform-tests/css/css-scroll-anchoring/start-edge-in-block-layout-direction.html [ Skip ]
 
 # Trusted Types aren't fully implemented yet
-webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/trusted-types-event-handlers.html [ Skip ]
 webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/WorkerGlobalScope-eval.html [ Skip ]
 webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/trusted-types-reporting.html [ Skip ]
 webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/trusted-types-svg-script.html [ Skip ]
 webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html [ Skip ]
 webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/trusted-types-eval-reporting-report-only.html [ Skip ]
 webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/WorkerGlobalScope-importScripts.html [ Pass Failure ]
+webkit.org/b/266630 imported/w3c/web-platform-tests/trusted-types/trusted-types-navigation.html [ Pass Failure ]
+webkit.org/b/274088 imported/w3c/web-platform-tests/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP.html [ Pass Failure ]
 
 # These tests are image failures
 imported/w3c/web-platform-tests/css/css-scroll-anchoring/vertical-rl-viewport-size-change-000.html [ Skip ]

LayoutTests/imported/w3c/web-platform-tests/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP-expected.txt

@@ -1,20 +1,20 @@
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
 
 
 
-FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP;
- Element=iframe; Parent=div; Attribute=srcdoc assert_throws_js: function "() => {
-                  sourceElement.setAttributeNode(sourceAttr);
-                }" did not throw
-FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP;
- Element=script; Parent=div; Attribute=src assert_throws_js: function "() => {
-                  sourceElement.setAttributeNode(sourceAttr);
-                }" did not throw
-FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP;
- Element=script; Parent=svg; Attribute=href assert_throws_js: function "() => {
-                  sourceElement.setAttributeNode(sourceAttr);
-                }" did not throw
-FAIL setAttribute and setAttributeNode respect the element's node document's global's CSP;
- Element=script; Parent=svg; Attribute=xlink:href assert_throws_js: function "() => {
-                  sourceElement.setAttributeNode(sourceAttr);
-                }" did not throw
+PASS setAttribute and setAttributeNode respect the element's node document's global's CSP;
+ Element=iframe; Parent=div; Attribute=srcdoc
+PASS setAttribute and setAttributeNode respect the element's node document's global's CSP;
+ Element=script; Parent=div; Attribute=src
+PASS setAttribute and setAttributeNode respect the element's node document's global's CSP;
+ Element=script; Parent=svg; Attribute=href
+PASS setAttribute and setAttributeNode respect the element's node document's global's CSP;
+ Element=script; Parent=svg; Attribute=xlink:href
 

LayoutTests/imported/w3c/web-platform-tests/trusted-types/GlobalEventHandlers-onclick-expected.txt

@@ -1,5 +1,7 @@
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
 
 PASS a.setAttribte('onclick') sets a trusted script.
-FAIL a.setAttribute('onclick') sets an unsuitable trusted type. assert_unreached: Reached unreachable code
-FAIL a.setAttribute('click') sets a test string. assert_unreached: Reached unreachable code
+PASS a.setAttribute('onclick') sets an unsuitable trusted type.
+PASS a.setAttribute('click') sets a test string.
 

LayoutTests/imported/w3c/web-platform-tests/trusted-types/TrustedTypePolicyFactory-metadata.tentative-expected.txt

@@ -1,3 +1,15 @@
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
 
 PASS Test assignment of string on madeup.madeup
 PASS Test assignment of string on madeup.setAttribute(madeup,..)
@@ -16,21 +28,21 @@ PASS Test assignment of TrustedScript on madeup.setAttribute(id,..)
 PASS Test assignment of TrustedScriptURL on madeup.id
 PASS Test assignment of TrustedScriptURL on madeup.setAttribute(id,..)
 PASS Test assignment of string on madeup.onerror
-FAIL Test assignment of string on madeup.setAttribute(onerror,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of string on madeup.setAttribute(onerror,..)
 PASS Test assignment of TrustedHTML on madeup.onerror
-FAIL Test assignment of TrustedHTML on madeup.setAttribute(onerror,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedHTML on madeup.setAttribute(onerror,..)
 PASS Test assignment of TrustedScript on madeup.onerror
 PASS Test assignment of TrustedScript on madeup.setAttribute(onerror,..)
 PASS Test assignment of TrustedScriptURL on madeup.onerror
-FAIL Test assignment of TrustedScriptURL on madeup.setAttribute(onerror,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedScriptURL on madeup.setAttribute(onerror,..)
 PASS Test assignment of string on madeup.onclick
-FAIL Test assignment of string on madeup.setAttribute(onclick,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of string on madeup.setAttribute(onclick,..)
 PASS Test assignment of TrustedHTML on madeup.onclick
-FAIL Test assignment of TrustedHTML on madeup.setAttribute(onclick,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedHTML on madeup.setAttribute(onclick,..)
 PASS Test assignment of TrustedScript on madeup.onclick
 PASS Test assignment of TrustedScript on madeup.setAttribute(onclick,..)
 PASS Test assignment of TrustedScriptURL on madeup.onclick
-FAIL Test assignment of TrustedScriptURL on madeup.setAttribute(onclick,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedScriptURL on madeup.setAttribute(onclick,..)
 PASS Test assignment of string on b.madeup
 PASS Test assignment of string on b.setAttribute(madeup,..)
 PASS Test assignment of TrustedHTML on b.madeup
@@ -48,19 +60,19 @@ PASS Test assignment of TrustedScript on b.setAttribute(id,..)
 PASS Test assignment of TrustedScriptURL on b.id
 PASS Test assignment of TrustedScriptURL on b.setAttribute(id,..)
 PASS Test assignment of string on b.onerror
-FAIL Test assignment of string on b.setAttribute(onerror,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of string on b.setAttribute(onerror,..)
 PASS Test assignment of TrustedHTML on b.onerror
-FAIL Test assignment of TrustedHTML on b.setAttribute(onerror,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedHTML on b.setAttribute(onerror,..)
 PASS Test assignment of TrustedScript on b.onerror
 PASS Test assignment of TrustedScript on b.setAttribute(onerror,..)
 PASS Test assignment of TrustedScriptURL on b.onerror
-FAIL Test assignment of TrustedScriptURL on b.setAttribute(onerror,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedScriptURL on b.setAttribute(onerror,..)
 PASS Test assignment of string on b.onclick
-FAIL Test assignment of string on b.setAttribute(onclick,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of string on b.setAttribute(onclick,..)
 PASS Test assignment of TrustedHTML on b.onclick
-FAIL Test assignment of TrustedHTML on b.setAttribute(onclick,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedHTML on b.setAttribute(onclick,..)
 PASS Test assignment of TrustedScript on b.onclick
 PASS Test assignment of TrustedScript on b.setAttribute(onclick,..)
 PASS Test assignment of TrustedScriptURL on b.onclick
-FAIL Test assignment of TrustedScriptURL on b.setAttribute(onclick,..) assert_throws_js: throws function "_ => { element.setAttribute(property, value); }" did not throw
+PASS Test assignment of TrustedScriptURL on b.setAttribute(onclick,..)
 

LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-Element-setAttribute-expected.txt

@@ -1,23 +1,24 @@
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedHTML value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScript value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
 
-FAIL script.src accepts only TrustedScriptURL assert_throws_js: function "_ => {
-    elem.setAttribute(attribute, value);
-  }" did not throw
-FAIL iframe.srcdoc accepts only TrustedHTML assert_throws_js: function "_ => {
-    elem.setAttribute(attribute, value);
-  }" did not throw
-FAIL div.onclick accepts only TrustedScript assert_throws_js: function "_ => {
-    elem.setAttribute(attribute, value);
-  }" did not throw
-FAIL `Script.prototype.setAttribute.SrC = string` throws. assert_throws_js: function "_ => {
-      el.setAttribute('SrC', INPUTS.URL);
-    }" did not throw
+PASS script.src accepts only TrustedScriptURL
+PASS iframe.srcdoc accepts only TrustedHTML
+PASS div.onclick accepts only TrustedScript
+PASS `Script.prototype.setAttribute.SrC = string` throws.
 PASS script.src accepts string and null after default policy was created.
-FAIL script.src's mutationobservers receive the default policy's value. assert_equals: expected "http://this.is.a.successful.test/" but got "http://this.is.a.scripturl.test/"
-FAIL iframe.srcdoc's mutationobservers receive the default policy's value. assert_equals: expected "Quack, I want to be a duck!" but got "Hi, I want to be transformed!"
-FAIL div.onclick's mutationobservers receive the default policy's value. assert_equals: expected "Meow, I want to be a cat!" but got "Hi, I want to be transformed!"
+PASS script.src's mutationobservers receive the default policy's value.
+PASS iframe.srcdoc's mutationobservers receive the default policy's value.
+PASS div.onclick's mutationobservers receive the default policy's value.
 PASS iframe.srcdoc accepts string and null after default policy was created.
-FAIL div.onclick accepts string and null after default policy was created. assert_equals: expected "Meow, I want to be a cat!" but got "Hi, I want to be transformed!"
+PASS div.onclick accepts string and null after default policy was created.
 PASS a.rel accepts strings
 PASS a.rel accepts null
-FAIL `script.src = setAttributeNode(embed.src)` with string works. assert_equals: expected "http://this.is.a.successful.test/" but got "http://this.is.a.scripturl.test/"
+PASS `script.src = setAttributeNode(embed.src)` with string works.
 

LayoutTests/imported/w3c/web-platform-tests/trusted-types/block-string-assignment-to-Element-setAttributeNS-expected.txt

@@ -1,13 +1,15 @@
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
+CONSOLE MESSAGE: This requires a TrustedScriptURL value else it violates the following Content Security Policy directive: "require-trusted-types-for 'script'"
 
 PASS Element.setAttributeNS assigned via policy (successful HTML transformation)
 PASS Element.setAttributeNS assigned via policy (successful Script transformation)
 PASS Element.setAttributeNS assigned via policy (successful ScriptURL transformation)
 PASS Element.setAttributeNS accepts untrusted string for non-specced accessor
 PASS Element.setAttributeNS accepts null for non-specced accessor
 PASS Assigning TrustedScriptURL to <svg:script xlink:href=...> works
-FAIL Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works assert_throws_js: function "_ => {
-          elem.setAttributeNS(xlinkNamespace, "href", v);
-        }" did not throw
+PASS Blocking non-TrustedScriptURL assignment to <svg:script xlink:href=...> works
 PASS Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute "SRCDOC" (ns=null) for "iframe" element (ns=http://www.w3.org/1999/xhtml).
 PASS Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute "SRC" (ns=null) for "script" element (ns=http://www.w3.org/1999/xhtml).
 PASS Check `setAttributeNS` allows setting non-trusted string for non-lowercase attribute "HREF" (ns=null) for "script" element (ns=http://www.w3.org/2000/svg).