Add test for importing a `srcdoc` attribute node from a non-TT realm to a TT iframe element throws

[mbrodesser-Igalia]

First step to fix https://github.com/w3c/trusted-types/issues/425.

Will add separate commits for the other tests requested at above ticket.

[mbrodesser-Igalia]

Stumbled on https://github.com/web-platform-tests/wpt/issues/44352, which either needs to be fixed or worked around.

[mbrodesser-Igalia]

@annevk can you PTAL again.

[mbrodesser-Igalia]

It would help to have a pointer where the throwing is defined. I didn't see it in the linked issue either.

Indeed not obvious. The throwing stems from: https://github.com/whatwg/dom/pull/1247 (diff: https://whatpr.org/dom/1247/6a9b5a2...10ce041.html) which invokes https://w3c.github.io/trusted-types/dist/spec/#validate-attribute-mutation. The latter invokes https://w3c.github.io/trusted-types/dist/spec/#abstract-opdef-get-trusted-type-compliant-string which throws a TypeError in step 6.3.

[mbrodesser-Igalia]

Thanks, this looks like the correct test.

I wonder if we should also test the inverse. That when you take an element out of a TT global, TT is no longer enforced for it.

I don't know how relevant that scenario is.

@koto: any experience with that?

[annevk]

It's relevant for ensuring the specification is implemented correctly.

[mbrodesser-Igalia]

It's relevant for ensuring the specification is implemented correctly.

True; but is that scenario actually relevant in practice?

[annevk]

That does not matter for conformance tests. The whole point is that we can't know what websites might do and might rely on.

[mbrodesser-Igalia]

That does not matter for conformance tests. The whole point is that we can't know what websites might do and might rely on.

Agreed. Added https://github.com/w3c/trusted-types/issues/425#issuecomment-2056452603 so that another test will be added.

[mbrodesser-Igalia]

@annevk: can you please merge this test, I lack rights.