forked from mochajs/mocha
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support running with TrustedTypes enforced.
Trusted Types is a new Content Security Policy specification, currently implemented in browsers based on Chromium 83 or higher, which requires that data passed to APIs which may result in arbitrary code execution must go through an explicit policy. This helps to catch unintended use of dangerous APIs, and reduces the surface area for some security reviews. I'm not sure if test infrastructure like mocha is a likely target for attack – seems like in most cases an attacker could only access test data, and it is rare for tests to handle untrusted data. However, there's value for infrastructure to be compatible with running with Trusted Types enabled, as it will allow users to write tests to ensure that the code under test can run with Trusted Types. This change creates and applies policies for the two places in mocha that call innerHTML, and adds a temporary patch to the rollup build. With those changes in place, we can run mocha's karma tests with Trusted Types enabled (save for the one test that runs with requirejs, which relies on eval). More info: * Spec: https://w3c.github.io/webappsec-trusted-types/dist/spec/#introduction * Related PR adding support to karma: karma-runner/karma#3360
- Loading branch information
Showing
4 changed files
with
95 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters