New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 913180 link

Starred by 1 user
Status: Fixed
Owner:
jakubvrana@google.com
Closed: Jan 7
Cc:
mkwst@chromium.org
koto@google.com
vogelheim@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

Trusted Types createURL and createScriptURL accepts only absolute URLs

Project Member Reported by jakubvrana@google.com, Dec 8 
Chrome Version: 72.0.3626.7 (Official Build) dev (64-bit)
OS: gLinux

What steps will reproduce the problem?
(1) tt = TrustedTypes.createPolicy('tt', {createURL: s => s})
(2) tt.createURL('a').toString()

What is the expected result?
'a'

What happens instead?
''

tt.createURL('http://a').toString() returns 'http://a' as expected.

Comment 1 by vogelheim@chromium.org, Dec 11

Status: Assigned (was: Untriaged)
I think the report is correct, and I'll fix this soon-ish.
(I'll be on holidays for a a bit, so "soon-ish" will likely be early Jan '19.)

Also, thank you for trying out Trusted Types!

---

The current TrustedURL* implementation(s) wrap a KURL instance (instead of a string), and don't use the base URL to parse relative URLs. That causes the behaviour reported.

I'll need to figure out whether parsing should use the base URL, or whether we shouldn't parse at all and just wrap a string. koto@ said offline he thinks of any Trusted* objects as strings. That probably does make the most sense here.

Comment 2 by koto@google.com, Dec 11

Cc: koto@google.com
Yes, I think we should wrap over strings, simply for backwards compatibility. The policies might decide to absolutize the URLs themselves using the document.baseURI or any other base.

Comment 3 by jakubvrana@google.com, Dec 13

Cc: vogelheim@chromium.org
Labels: -OS-Linux OS-All
Owner: jakubvrana@google.com
Status: Started (was: Assigned)
https://crrev.com/c/1375714
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 7 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a54a0773e501aeb3b7149271149223632c478a71

commit a54a0773e501aeb3b7149271149223632c478a71
Author: Jakub Vrana <jakubvrana@google.com>
Date: Mon Jan 07 12:48:45 2019

Trusted Types: Store TrustedURL and TrustedScriptURL contents as string

Bug: 739170,  913180 
Change-Id: I01391891d89aeb55e387059ed4c4a4b92c6dcd7b
Reviewed-on: https://chromium-review.googlesource.com/c/1375714
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#620299}
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/exported/web_frame_test.cc
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/trustedtypes/trusted_script_url.cc
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/trustedtypes/trusted_script_url.h
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/trustedtypes/trusted_type_policy.cc
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/trustedtypes/trusted_types_util_test.cc
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/trustedtypes/trusted_url.cc
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/renderer/core/trustedtypes/trusted_url.h
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicy-createXXX.tentative.html
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-createPolicy-createXYZTests.tentative.html
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/web_tests/external/wpt/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
[modify] https://crrev.com/a54a0773e501aeb3b7149271149223632c478a71/third_party/blink/web_tests/external/wpt/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html

Comment 5 by jakubvrana@google.com, Jan 7

Status: Fixed (was: Started)
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/822e75f724b501832a7abb1353cf5c7e400d4aa0

commit 822e75f724b501832a7abb1353cf5c7e400d4aa0
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Thu Jan 10 17:12:35 2019

[Sheriff] Revert "Trusted Types: Store TrustedURL and TrustedScriptURL contents as string"

This reverts commit a54a0773e501aeb3b7149271149223632c478a71.

Reason for revert: flakiness https://findit-for-me.appspot.com/waterfall/flake/flake-culprit?key=ag9zfmZpbmRpdC1mb3ItbWVyQwsSDEZsYWtlQ3VscHJpdCIxY2hyb21pdW0vYTU0YTA3NzNlNTAxYWViM2I3MTQ5MjcxMTQ5MjIzNjMyYzQ3OGE3MQw

BUG= chromium:919833 

Original change's description:
> Trusted Types: Store TrustedURL and TrustedScriptURL contents as string
> 
> Bug: 739170,  913180 
> Change-Id: I01391891d89aeb55e387059ed4c4a4b92c6dcd7b
> Reviewed-on: https://chromium-review.googlesource.com/c/1375714
> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
> Reviewed-by: Mike West <mkwst@chromium.org>
> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#620299}

TBR=vogelheim@chromium.org,mkwst@chromium.org,jakubvrana@google.com

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 739170,  913180 
Change-Id: Ic3561942a74f6106d629c5f3a7b30014719bc7d5
Reviewed-on: https://chromium-review.googlesource.com/c/1405188
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621617}
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/exported/web_frame_test.cc
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/trustedtypes/trusted_script_url.cc
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/trustedtypes/trusted_script_url.h
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/trustedtypes/trusted_type_policy.cc
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/trustedtypes/trusted_types_util_test.cc
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/trustedtypes/trusted_url.cc
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/renderer/core/trustedtypes/trusted_url.h
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicy-createXXX.tentative.html
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/web_tests/external/wpt/trusted-types/TrustedTypePolicyFactory-createPolicy-createXYZTests.tentative.html
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/web_tests/external/wpt/trusted-types/block-string-assignment-to-Element-setAttribute.tentative.html
[modify] https://crrev.com/822e75f724b501832a7abb1353cf5c7e400d4aa0/third_party/blink/web_tests/external/wpt/trusted-types/block-string-assignment-to-HTMLElement-generic.tentative.html

Sign in to add a comment