Skip to content

Commit

Permalink
Rewrote DOM integration, adding an expliting entry point algorithm to
Browse files Browse the repository at this point in the history
call from DOM.

whatwg/dom#789
Closes #401.
  • Loading branch information
koto committed Jan 23, 2024
1 parent 4f94c5b commit 7820b21
Showing 1 changed file with 15 additions and 73 deletions.
88 changes: 15 additions & 73 deletions spec/index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -714,7 +714,7 @@ initially empty.
1. Let |interface| be the [=element interface=] for |localName| and |elementNs|.
1. If |interface| does not have an IDL <a spec="webidl">attribute</a> that [=reflects=] a content attribute with
|localName| local name and |attrNs| namespace,
return undefined and abort further steps. Otherwise, let |idlAttribute| be that IDL <a spec="webidl">attribute</a>.
return undefined and abort further steps. Otherwise, let |idlAttribute| be that IDL attribute.
1. If {{StringContext}} IDL extended attribute appears on |idlAttribute|, return
stringified {{StringContext}}'s identifier and abort further steps.
1. Return null.
Expand Down Expand Up @@ -1091,18 +1091,6 @@ Given a {{TrustedType}} type (|expectedType|), a [=realm/global object=] (|globa

Given an {{HTMLScriptElement}} (|script|), this algorithm performs the following steps:

1. If |script| does not have a <{script/src}> content attribute, set its {{HTMLScriptElement/[[ScriptURL]]}} internal slot value to `null`.

1. Otherwise, if |script|'s {{HTMLScriptElement/[[ScriptURL]]}} internal slot value is not equal to its <{script/src}> attribute value,
set |script|'s {{HTMLScriptElement/[[ScriptURL]]}} to the result of executing [$Get Trusted Type compliant string$], with the following arguments:
* {{TrustedScriptURL}} as |expectedType|,
* |script|'s {{Document}}'s [=relevant global object=] as |global|,
* |script|'s <{script/src}> attribute value as |input|,
* `HTMLScriptElement src` as |sink|,
* `'script'` as |sinkGroup|.

If the algorithm threw an error, rethrow the error and abort further steps.

1. If |script|'s {{HTMLScriptElement/[[ScriptText]]}} internal slot value is not equal to its [=child text content=],
set |script|'s {{HTMLScriptElement/[[ScriptText]]}} to the result of executing [$Get Trusted Type compliant string$], with the following arguments:
* {{TrustedScriptURL}} as |expectedType|,
Expand All @@ -1113,6 +1101,20 @@ Given an {{HTMLScriptElement}} (|script|), this algorithm performs the following

If the algorithm threw an error, rethrow the error.

## <dfn-abstract-op export>Validate attribute mutation</dfn> ## {#validate-attribute-mutation}
Given {{Attr}} |attribute|, {{Element}} |element| and {{TrustedType}} or a string |newValue|, this algorithm performs the following steps:

1. If |element| has an <a spec="webidl" lt="attribute">IDL attribute</a> that [=reflects=] a content attribute with |attribute|'s [=Attr/local name=], let |idlAttribute| be that IDL <a spec="webidl">attribute</a>. Otherwise, return stringified |newValue|.
1. If {{StringContext}} IDL extended attribute does not appears on |idlAttribute|, return stringified |newValue|.
1. Set |value| to the result of executing [$Get Trusted Type compliant string$] with the following arguments:
* {{StringContext}} identifier as |expectedType|
* |newValue| as |input|
* |element|'s <a>relevant global object</a> as |global|
* the result of [=concatenating=] the list &laquo; |element|'s [=Element/local name=], |attribute|'s |localName| &raquo; with `"."` as a |separator| as |sink|
* 'script' as |sinkGroup|

If the algorithm threw an error, rethrow the error.

# Integrations # {#integrations}

<pre class="idl">
Expand Down Expand Up @@ -1245,15 +1247,8 @@ partial interface Document {

#### Slots with trusted values #### {#slots-with-trusted-values}

Issue: Figure out if we can drop {{HTMLScriptElement/[[ScriptURL]]}} slot after IDL + DOM changes.

This document modifies {{HTMLScriptElement}}s. Each script has:

: <dfn for="HTMLScriptElement" lt="[[ScriptURL]]" attribute>`[[ScriptURL]]`</dfn> internal slot.
:: A string, containing the URL to execute the script from
that was set through a {{StringContext}} compliant sink. Equivalent to
{{HTMLScriptElement/src}} attribute value. Initially null.

: <dfn for="HTMLScriptElement" lt="[[ScriptText]]" attribute>`[[ScriptText]]`</dfn> internal slot.
:: A string, containing the body of the script to execute that was set
through a {{StringContext}} compliant sink. Equivalent to script's
Expand Down Expand Up @@ -1283,12 +1278,6 @@ On setting the {{HTMLElement/innerText}}, {{Node/textContent}} and {{HTMLScriptE
1. Set {{HTMLScriptElement/[[ScriptText]]}} internal slot value to the stringified attribute value.
1. Perform the usual attribute setter steps.


On setting the {{HTMLScriptElement/src}} IDL attribute, execute the following algorithm:

1. Set {{HTMLScriptElement/[[ScriptURL]]}} internal slot value to the stringified attribute value.
1. Perform the usual attribute setter steps.

#### Slot value verification #### {#slot-value-verification}

The first few steps of the [=prepare the script element=] algorithm are modified as follows:
Expand All @@ -1312,14 +1301,6 @@ The first few steps of the [=prepare the script element=] algorithm are modified
<li><p>Let <var>source text</var> be <var>el</var>'s <del><a id=script-processing-model:child-text-content href=https://dom.spec.whatwg.org/#concept-child-text-content data-x-internal=child-text-content>child text content</a>.</del> <ins>`[[ScriptText]]` internal slot value.</ins>
<li>...
</ol>
<p>In all subsequent steps, replace checks for <code>src</code> attribute existence with checks for non-null `[[ScriptURL]]` internal slot value, and replace references of <code>src</code> content attribute value with `[[ScriptURL]]` internal slot value. For example:
<ul>
<li>If <del><var>el</var> does not have a <code>src</a></code> content attribute</del><ins><var>el</var>'s `[[ScriptURL]]` internal slot value is null</ins>, and the <a id="script-processing-model:should-element's-inline-behavior-be-blocked-by-content-security-policy" href=https://w3c.github.io/webappsec-csp/#should-block-inline data-x-internal="should-element's-inline-behavior-be-blocked-by-content-security-policy">Should element's inline
behavior be blocked by Content Security Policy?</a> algorithm returns "<code>Blocked</code>" when given <var>el</var>, "<code>script</code>", and
<var>source text</var>, then return.
<li>If <var>el</var><ins>'s</ins> <del>has a <code>src</code> content attribute</del><ins>`[[ScriptURL]]` internal slot value is not null</ins>, then:
<li><p>Let <var ignore="">src</var> be the value of <var>el</var>'s <del><code>src</a></code> attribute</del><ins>`[[ScriptURL]]` internal slot</ins>.
</ul>

### Enforcement in element attributes ### {#enforcement-in-sinks}

Expand Down Expand Up @@ -1495,45 +1476,6 @@ On setting {{SVGAnimatedString/baseVal}}, the following steps are run:

Note: SVG does not have a complete script processing model <a href="https://github.com/w3c/svgwg/issues/196">yet</a>. Trusted Types assumes that the attribute and text body modification protections behave similarly to ones for HTML scripts outlined in [[#enforcement-in-scripts]].

## Integration with DOM ## {#integration-with-dom}

This document modifies the {{Element}} interface, adding <a>attribute validation steps</a>:

<p><ins>This and <a lt="other applicable specifications">other specifications</a> may define
<dfn export id=concept-element-attributes-validation-ext>attribute validation steps</dfn> for
<a for=/ spec=dom>elements</a>. The algorithm is passed <var>element</var>, <var>localName</var>,
<var>value</var>, and <var ignore>namespace</var>.</ins>

This document changes the <a spec="dom">handle attribute changes</a> algorithm, adding the following step at the beginning:
<ol>
<li><ins><p>Run the <a>attribute validation steps</a> with <var>element</var>,
<var>attribute</var>'s <a for=Attr>local name</a>, <var ignore>newValue</var> and
<var>attribute</var>'s <a for=Attr>namespace</a>. If this throws an exception, then
rethrow the exception and abort further steps.</ins>
</ol>

Additionally, this document changes the <a spec=dom>append</a> an attribute algorithm:

<p>To <dfn export id=concept-element-attributes-append lt="append an attribute">append</dfn> an
<a spec=dom>attribute</a> <var>attribute</var> to an <a spec=dom for="/">element</a> <var>element</var>
<ins>with a <var>value</var></ins>, run these steps:

<ol>
<li><p><a spec="dom">Handle attribute changes</a> for <var>attribute</var> with <var>element</var>, null, and
<del><var>attribute</var>'s <a for=Attr>value</a></del><ins><var>value</var></ins>.

<li><ins><p>Set <var>attribute</var>'s <a for=Attr>value</a> to <var>value</var>.</ins>

<li><p><a for=list>Append</a> <var>attribute</var> to <var>element</var>'s
<a for=Element>attribute list</a>.
<li><p>Set <var>attribute</var>'s <a for=Attr>element</a> to <var>element</var>.
</ol>

Callers of this algorithm are changed accordingly.

Issue: Remove when <a href="https://github.com/whatwg/dom/pull/809">DOM #809</a> is merged.


## Integration with DOM Parsing ## {#integration-with-dom-parsing}

This document modifies the following interfaces defined by [[DOM-Parsing]]:
Expand Down

0 comments on commit 7820b21

Please sign in to comment.