118 lines
4.3 KiB
JavaScript
118 lines
4.3 KiB
JavaScript
/**
|
|
* @license
|
|
* Copyright The Closure Library Authors.
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
goog.provide('goog.dom.asserts');
|
|
|
|
goog.require('goog.asserts');
|
|
|
|
/**
|
|
* @fileoverview Custom assertions to ensure that an element has the appropriate
|
|
* type.
|
|
*
|
|
* Using a goog.dom.safe wrapper on an object on the incorrect type (via an
|
|
* incorrect static type cast) can result in security bugs: For instance,
|
|
* g.d.s.setAnchorHref ensures that the URL assigned to the .href attribute
|
|
* satisfies the SafeUrl contract, i.e., is safe to dereference as a hyperlink.
|
|
* However, the value assigned to a HTMLLinkElement's .href property requires
|
|
* the stronger TrustedResourceUrl contract, since it can refer to a stylesheet.
|
|
* Thus, using g.d.s.setAnchorHref on an (incorrectly statically typed) object
|
|
* of type HTMLLinkElement can result in a security vulnerability.
|
|
* Assertions of the correct run-time type help prevent such incorrect use.
|
|
*
|
|
* In some cases, code using the DOM API is tested using mock objects (e.g., a
|
|
* plain object such as {'href': url} instead of an actual Location object).
|
|
* To allow such mocking, the assertions permit objects of types that are not
|
|
* relevant DOM API objects at all (for instance, not Element or Location).
|
|
*
|
|
* Note that instanceof checks don't work straightforwardly in older versions of
|
|
* IE, or across frames (see,
|
|
* http://stackoverflow.com/questions/384286/javascript-isdom-how-do-you-check-if-a-javascript-object-is-a-dom-object,
|
|
* http://stackoverflow.com/questions/26248599/instanceof-htmlelement-in-iframe-is-not-element-or-object).
|
|
*
|
|
* Hence, these assertions may pass vacuously in such scenarios. The resulting
|
|
* risk of security bugs is limited by the following factors:
|
|
* - A bug can only arise in scenarios involving incorrect static typing (the
|
|
* wrapper methods are statically typed to demand objects of the appropriate,
|
|
* precise type).
|
|
* - Typically, code is tested and exercised in multiple browsers.
|
|
*/
|
|
|
|
/**
|
|
* Asserts that a given object is a Location.
|
|
*
|
|
* To permit this assertion to pass in the context of tests where DOM APIs might
|
|
* be mocked, also accepts any other type except for subtypes of {!Element}.
|
|
* This is to ensure that, for instance, HTMLLinkElement is not being used in
|
|
* place of a Location, since this could result in security bugs due to stronger
|
|
* contracts required for assignments to the href property of the latter.
|
|
*
|
|
* @param {?Object} o The object whose type to assert.
|
|
* @return {!Location}
|
|
*/
|
|
goog.dom.asserts.assertIsLocation = function(o) {
|
|
'use strict';
|
|
if (goog.asserts.ENABLE_ASSERTS) {
|
|
var win = goog.dom.asserts.getWindow_(o);
|
|
if (win) {
|
|
if (!o || (!(o instanceof win.Location) && o instanceof win.Element)) {
|
|
goog.asserts.fail(
|
|
'Argument is not a Location (or a non-Element mock); got: %s',
|
|
goog.dom.asserts.debugStringForType_(o));
|
|
}
|
|
}
|
|
}
|
|
return /** @type {!Location} */ (o);
|
|
};
|
|
|
|
|
|
/**
|
|
* Returns a string representation of a value's type.
|
|
*
|
|
* @param {*} value An object, or primitive.
|
|
* @return {string} The best display name for the value.
|
|
* @private
|
|
*/
|
|
goog.dom.asserts.debugStringForType_ = function(value) {
|
|
'use strict';
|
|
if (goog.isObject(value)) {
|
|
try {
|
|
return /** @type {string|undefined} */ (value.constructor.displayName) ||
|
|
value.constructor.name || Object.prototype.toString.call(value);
|
|
} catch (e) {
|
|
return '<object could not be stringified>';
|
|
}
|
|
} else {
|
|
return value === undefined ? 'undefined' :
|
|
value === null ? 'null' : typeof value;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Gets window of element.
|
|
* @param {?Object} o
|
|
* @return {?Window}
|
|
* @private
|
|
* @suppress {strictMissingProperties} ownerDocument not defined on Object
|
|
*/
|
|
goog.dom.asserts.getWindow_ = function(o) {
|
|
'use strict';
|
|
try {
|
|
var doc = o && o.ownerDocument;
|
|
// This can throw “Blocked a frame with origin "chrome-extension://..." from
|
|
// accessing a cross-origin frame” in Chrome extension.
|
|
var win =
|
|
doc && /** @type {?Window} */ (doc.defaultView || doc.parentWindow);
|
|
win = win || /** @type {!Window} */ (goog.global);
|
|
// This can throw “Permission denied to access property "Element" on
|
|
// cross-origin object”.
|
|
if (win.Element && win.Location) {
|
|
return win;
|
|
}
|
|
} catch (ex) {
|
|
}
|
|
return null;
|
|
};
|