Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add option to continue on trusted-types policy-creation failure
Webpack already allows for specifying a trusted-types policy name. However, its current implementation is such that if a call to trustedTypes.createPolicy fails, the code will immediately stop executing. This isn't necessarily desirable, as an application could be in the early phases of rolling out trusted types, and thus have the CSP rule for trusted-types LibraryA LibraryB etc, BUT have require-trusted-types-for 'script' be in "report only" mode (Content-Security-Policy-Report-Only). In such a configuration, and when the webpacked code is dynamically-loaded into an application, adding the policy name to the webpack config will break old versions. This PR keeps the original behavior, but introduces a new option for onPolicyCreationFailure: "continue" | "stop" (with "stop" remaining the default). If a developer chooses the "continue" option, the policy-creation will be wrapped in a try/catch. There is no security risk to this, since for host applications that DO have strict enforcement of trusted-types, the code will simply fail when the dangerous sink is used (e.g., when doing parseFromString). And likewise, wrapping in try/catch and doing nothing on catch is OK, because the code already deals with the possibility of the trustedTypes API not being available on the browser.
- Loading branch information
1 parent
1bfabd2
commit 50159b1
Showing
13 changed files
with
159 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
36 changes: 36 additions & 0 deletions
36
test/configCases/trusted-types/continue-on-policy-creation-failure/index.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
it("can continue on policy creation failure", function () { | ||
// emulate trusted types in a window object | ||
window.trustedTypes = { | ||
createPolicy: () => { | ||
throw new Error("Rejecting createPolicy call"); | ||
} | ||
}; | ||
|
||
const createPolicySpy = jest.spyOn(window.trustedTypes, "createPolicy"); | ||
const consoleWarn = jest.spyOn(console, "warn").mockImplementation(() => {}); | ||
|
||
const promise = import( | ||
"./empty?b" /* webpackChunkName: "continue-on-policy-creation-failure" */ | ||
); | ||
var script = document.head._children.pop(); | ||
expect(script.src).toBe( | ||
"https://test.cases/path/continue-on-policy-creation-failure.web.js" | ||
); | ||
__non_webpack_require__("./continue-on-policy-creation-failure.web.js"); | ||
|
||
expect(createPolicySpy).toHaveBeenCalledWith( | ||
"CustomPolicyName", | ||
expect.objectContaining({ | ||
createScriptURL: expect.anything() | ||
}) | ||
); | ||
expect(createPolicySpy).toThrow(); | ||
expect(consoleWarn).toHaveBeenCalledWith( | ||
`Could not create trusted-types policy "CustomPolicyName"` | ||
); | ||
|
||
createPolicySpy.mockReset(); | ||
consoleWarn.mockReset(); | ||
|
||
return promise; | ||
}); |
17 changes: 17 additions & 0 deletions
17
test/configCases/trusted-types/continue-on-policy-creation-failure/webpack.config.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
module.exports = { | ||
target: "web", | ||
output: { | ||
chunkFilename: "[name].web.js", | ||
crossOriginLoading: "anonymous", | ||
trustedTypes: { | ||
policyName: "CustomPolicyName", | ||
onPolicyCreationFailure: "continue" | ||
} | ||
}, | ||
performance: { | ||
hints: false | ||
}, | ||
optimization: { | ||
minimize: false | ||
} | ||
}; |
Empty file.
38 changes: 38 additions & 0 deletions
38
test/configCases/trusted-types/stop-on-policy-creation-failure/index.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
it("should stop if policy fails to be created", function () { | ||
// emulate trusted types in a window object | ||
window.trustedTypes = { | ||
createPolicy: () => { | ||
throw new Error("Rejecting createPolicy call"); | ||
} | ||
}; | ||
|
||
const createPolicySpy = jest.spyOn(window.trustedTypes, "createPolicy"); | ||
const consoleWarn = jest.spyOn(console, "warn").mockImplementation(() => {}); | ||
|
||
let promise; | ||
try { | ||
promise = import( | ||
"./empty?test=stop-on-policy-creation-failure" /* webpackChunkName: "stop-on-policy-creation-failure" */ | ||
); | ||
} catch (e) { | ||
expect(e.message).toBe("Rejecting createPolicy call"); | ||
} | ||
|
||
// Unlike in the other test cases, we expect the failure above to prevent any scripts from being added to the document head | ||
expect(document.head._children.length).toBe(0); | ||
expect(createPolicySpy).toHaveBeenCalledWith( | ||
"webpack", | ||
expect.objectContaining({ | ||
createScriptURL: expect.anything() | ||
}) | ||
); | ||
|
||
// Unlike in the "continue-on-policy-creation-failure" case, we expect an outright thrown error, | ||
// rather than a console warning. The console should not have been called: | ||
expect(consoleWarn).toHaveBeenCalledTimes(0); | ||
|
||
createPolicySpy.mockReset(); | ||
consoleWarn.mockReset(); | ||
|
||
return promise; | ||
}); |
14 changes: 14 additions & 0 deletions
14
test/configCases/trusted-types/stop-on-policy-creation-failure/webpack.config.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
module.exports = { | ||
target: "web", | ||
output: { | ||
chunkFilename: "[name].web.js", | ||
crossOriginLoading: "anonymous", | ||
trustedTypes: true | ||
}, | ||
performance: { | ||
hints: false | ||
}, | ||
optimization: { | ||
minimize: false | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters