commit a27489677d847b66d467240e7b986dae7688c9b8
parent bf41e0b41f38fea5db910c4d6d34278232aa02ee
Author: Tim van der Lippe <tvanderlippe@gmail.com>
Date: Thu, 9 Oct 2025 16:28:14 +0000
Bug 1990156 [wpt PR 55003] - Avoid crash when non-trusted-script object is passed into Function constructor, a=testonly
Automatic update from web-platform-tests
Avoid crash when non-trusted-script object is passed into eval
It is possible to pass in objects that are not trusted scripts
into an eval. Rather than crashing, we now treat these as
untrusted. `can_compile_string_with_trusted_type` doens't need
to know the contents of a string, as it always marks it as
untrusted.
We can make the same optimization in the string case, where
we no longer need to convert the string.
Fixes #39436
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
--
wpt-commits: f6c0b13fb869706651a568a0476c26389481f862
wpt-pr: 55003
Diffstat:
1 file changed, 20 insertions(+), 0 deletions(-)
diff --git a/testing/web-platform/tests/trusted-types/eval-with-non-trusted-script-object.html b/testing/web-platform/tests/trusted-types/eval-with-non-trusted-script-object.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script nonce="abc" src="/resources/testharness.js"></script>
+ <script nonce="abc" src="/resources/testharnessreport.js"></script>
+ <script nonce="abc" src="support/helper.sub.js"></script>
+
+ <!-- Note: Trusted Types enforcement, and a CSP that does not blanket-allow eval. -->
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; require-trusted-types-for 'script'">
+</head>
+<body>
+<script nonce="abc">
+ const p = createScript_policy(window, 1);
+ test(t => {
+ assert_throws_js(EvalError, _ => {
+ // Without Trusted Types enforcement, this would return 47
+ new Function({toString() { return "a"; }}, "return a + 42")(5);
+ });
+ }, "Function constructor of stringified object and TrustedScript fails.");
+</script>
