CoCalc -- conformance

GitHub Repository: SeleniumHQ/Selenium
Path: blob/trunk/third_party/closure/goog/conformance_proto.txt
⁴¹⁸⁵ views
1
# proto-file: third_party/java_src/jscomp/java/com/google/javascript/jscomp/conformance.proto
2
# proto-message: ConformanceConfig
3

4
# Conformance users:
5
#
6
# DO NOT COPY PASTE THESE RULES. If you do, changes to Closure can break your
7
# build and you also won't get new or improved rules. Instead use this file in
8
# your project and extend the rules to disable them or to add their allowlists.
9

10
### Platform restrictions ###
11

12
requirement: {
13
  rule_id: "closure:callee"
14
  type: BANNED_PROPERTY
15
  error_message: "Arguments.prototype.callee is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#callee"
16

17
  value: "Arguments.prototype.callee"
18

19
  allowlist_regexp: ".+/closure/goog/debug/"  # legacy stack trace support, etc
20
  # TODO(mlourenco): Fix this? Not sure if possible or not.
21
  allowlist_regexp: ".+/closure/goog/testing/stacktrace.js"
22
}
23

24
requirement: {
25
  rule_id: "closure:throwOfNonErrorTypes"
26
  type: CUSTOM
27
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanThrowOfNonErrorTypes"
28
  error_message: "Only Error or Error subclass objects may be thrown. See https://google.github.io/closure-library/develop/conformance_rules.html#throwOfNonErrorTypes"
29
  # TODO(user): Violation occurs in code generated by Emscripten.
30
  allowlist_regexp: ".+_wasm_js_library_generated.js"
31
  allowlist_regexp: ".+/closure/goog/storage/"  # throws numbers as part of its api
32
  allowlist_regexp: ".+/closure/goog/testing/mock.js"  # throws Object in $recordAndThrow
33
}
34

35
requirement: {
36
  rule_id: "closure:globalVars"
37
  type: CUSTOM
38
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanGlobalVars"
39
  error_message: "Global declarations are not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#globalVars"
40
  allowlist_regexp: ".+/closure/goog/base.js"  # global 'goog'
41
  allowlist_regexp: ".+/closure/goog/labs/testing/"  # global matchers, etc
42
  allowlist_regexp: ".+/closure/goog/locale/locale.js"  # dumb api
43
  allowlist_regexp: ".+/closure/goog/testing/"  # global assert methods, etc
44
  allowlist_regexp: ".+/closure/goog/tweak/testhelpers.js"  # global values
45
  allowlist_regexp: "^Post-"  # injected '_ModuleManager_initialize'
46

47
  # Allowlist for global names
48
  value: "CLOSURE_DEFINES"  # Closure Compiler requires this to be a global var
49
  value: "CLOSURE_UNCOMPILED_DEFINES"  # Closure Compiler requires this to be a global var
50
  value: "CLOSURE_NO_DEPS"  # Closure Compiler requires this to be a global var
51
}
52

53
requirement: {
54
  rule_id: "closure:unknownThis"
55
  type: CUSTOM
56
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanUnknownThis"
57
  error_message: "References to \"this\" that are typed as \"unknown\" are not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#unknownThis"
58

59
  allowlist_regexp: ".+/closure/goog/base.js"
60
  allowlist_regexp: ".+/closure/goog/debug/errorhandler.js"
61
  allowlist_regexp: ".+/closure/goog/editor/plugins/linkbubble.js"
62
  allowlist_regexp: ".+/closure/goog/editor/plugins/linkdialogplugin.js"
63
  allowlist_regexp: ".+/closure/goog/functions/functions.js"
64
  allowlist_regexp: ".+/closure/goog/memoize/memoize.js"
65
  allowlist_regexp: ".+/closure/goog/pubsub/pubsub.js"
66
  allowlist_regexp: ".+/closure/goog/testing/"
67
  allowlist_regexp: ".+/closure/goog/ui/editor/bubble.js"
68
  allowlist_regexp: ".+/closure/goog/ui/editor/toolbarcontroller.js"
69
  # TODO(user): Violation occurs in code generated by Emscripten.
70
  allowlist_regexp: ".+_wasm_js_library_generated.js"
71
}
72

73
### Browser tech requirements ###
74

75
# This requirement is somewhat Google-specific: open-source Closure users that
76
# don't use GAPI could reasonably ignore it depending on how they do messaging
77
# in their app.
78
requirement: {
79
  rule_id: "closure:postMessage"
80
  type: BANNED_PROPERTY_CALL
81
  error_message: "Window.prototype.postMessage is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#postMessage"
82

83
  value: "Window.prototype.postMessage"
84

85
  # Known-safe common infrastructure.
86
  allowlist_regexp: ".+/closure/goog/async/nexttick.js"
87
  allowlist_regexp: ".+/closure/goog/net/xpc/nativemessagingtransport.js"
88
  # TODO(user): make sure this gets security reviewed (b/29333525).
89
  allowlist_regexp: ".+/closure/goog/messaging/portchannel.js"
90
}
91

92
### Security: forbid DOM properties and functions which can cause XSS ###
93

94
# These are properties and functions which might have safe wrappers under
95
# goog.dom.safe. Two groups: properties and functions which accept
96
# HTML/CSS/script-as-string, properties and function which accept URLs.
97

98
#### DOM properties and functions which accept HTML/CSS/script-as-string #####
99

100
requirement: {
101
  rule_id: 'closure:eval'
102
  # TODO(jakubvrana): Change to BANNED_NAME_CALL after cl/154708486 lands.
103
  type: BANNED_NAME
104
  error_message: 'eval is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
105

106
  value: 'eval'
107
  value: 'execScript'
108
  value: 'goog.globalEval'
109

110
  allowlist_regexp: '.+/closure/goog/base.js' # goog.module loading in uncompiled code.
111
  allowlist_regexp: '.+/closure/goog/goog.js' # Forwards goog.globalEval
112
  allowlist_regexp: '.+/closure/goog/debug/errorhandler.js' # wraps setTimeout and similar functions
113
  allowlist_regexp: '.+/closure/goog/json/json.js' # used in goog.json.parse
114
  allowlist_regexp: '.+/closure/goog/module/loader.js'
115
  allowlist_regexp: '.+/closure/goog/module/moduleloader.js'
116
}
117

118
requirement: {
119
  rule_id: 'closure:windowEval'
120
  type: BANNED_PROPERTY_CALL
121
  error_message: 'window.eval is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
122

123
  value: 'Window.prototype.eval'
124
  value: 'Window.prototype.execScript'
125

126
  allowlist_regexp: '.+/closure/goog/base.js'
127
  # TODO(jakubvrana): To be investigated.
128
  allowlist_regexp: '.+/closure/goog/net/xpc/nixtransport.js'
129
}
130

131
requirement: {
132
  rule_id: 'closure:stringFunctionDefinition'
133
  type: RESTRICTED_NAME_CALL
134
  error_message: 'Function, setTimeout, setInterval and requestAnimationFrame are not allowed with string argument. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
135

136
  value: 'Function:function()'
137
  value: 'setTimeout:function(Function, ...?)'
138
  value: 'setInterval:function(Function, ...?)'
139
  value: 'requestAnimationFrame:function(Function, ...?)'
140
}
141

142
requirement: {
143
  rule_id: 'closure:windowStringFunctionDefinition'
144
  type: RESTRICTED_METHOD_CALL
145
  error_message: 'window.setTimeout, setInterval and requestAnimationFrame are not allowed with string argument. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
146

147
  value: 'Window.prototype.setTimeout:function(Function, ...?)'
148
  value: 'Window.prototype.setInterval:function(Function, ...?)'
149
  value: 'Window.prototype.requestAnimationFrame:function(Function, ...?)'
150
}
151

152
requirement: {
153
  rule_id: 'closure:innerHtml'
154
  type: BANNED_PROPERTY_NON_CONSTANT_WRITE
155
  error_message: 'Assignment to Element.prototype.innerHTML is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#innerHtml'
156

157
  value: 'Element.prototype.innerHTML'
158

159
  # Safe wrapper for this property.
160
  allowlist_regexp: '.+/closure/goog/dom/safe.js'
161

162
  # Safe DOM Tree Processor and HTML sanitizer, which use it safely in order to
163
  # have the browser parse an HTML string using an inert DOM.
164
  allowlist_regexp: '.+/closure/goog/html/sanitizer/htmlsanitizer.js'
165
  allowlist_regexp: '.+/closure/goog/html/sanitizer/safedomtreeprocessor.js'
166
  # Safely used in goog.string.unescapeEntitiesUsingDom_; the string assigned to
167
  # innerHTML is a single HTML entity.
168
  allowlist_regexp: '.+/closure/goog/string/string.js'
169
  # goog.soy.renderElement and renderAsElement.  Safe if used with Strict Soy
170
  # templates.
171
  allowlist_regexp: '.+/closure/goog/soy/soy.js'
172
  allowlist_regexp: '.+/closure/goog/dom/browserrange/ierange.js'
173
  allowlist_regexp: '.+/closure/goog/editor/'
174
  allowlist_regexp: '.+/closure/goog/style/style.js'
175
  allowlist_regexp: '.+/closure/goog/testing/'
176
}
177

178
requirement: {
179
  rule_id: 'closure:outerHtml'
180
  type: BANNED_PROPERTY_NON_CONSTANT_WRITE
181
  error_message: 'Assignment to Element.prototype.outerHTML is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#innerHtml'
182

183
  value: 'Element.prototype.outerHTML'
184

185
  # Safe wrapper for this property.
186
  allowlist_regexp: '.+/closure/goog/dom/safe.js'
187
  allowlist_regexp: '.+/closure/goog/editor/'
188
}
189

190
requirement: {
191
  rule_id: 'closure:documentWrite'
192
  type: BANNED_PROPERTY
193
  error_message: 'Using Document.prototype.write is not allowed. Use goog.dom.safe.documentWrite instead. See https://google.github.io/closure-library/develop/conformance_rules.html#documentWrite.'
194

195
  value: 'Document.prototype.write'
196
  value: 'Document.prototype.writeln'
197

198
  # These are safe.
199
  allowlist_regexp: '.+/closure/goog/async/nexttick.js'
200
  allowlist_regexp: '.+/closure/goog/base.js'
201
  allowlist_regexp: '.+/closure/goog/dom/safe.js'
202
  # TODO(jakubvrana): These need to be refactored.
203
  allowlist_regexp: '.+/closure/goog/editor/icontent.js'
204
  allowlist_regexp: '.+/closure/goog/testing/'
205
}
206

207
requirement: {
208
  rule_id: "closure:untypedScript"
209
  type: CUSTOM
210
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
211
  error_message: "Use goog.dom functions with goog.dom.TagName.SCRIPT to create <script> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
212

213
  value: "script"
214

215
  allowlist_regexp: ".+/closure/goog/base.js"
216
}
217

218
requirement: {
219
  rule_id: "closure:untypedIframe"
220
  type: CUSTOM
221
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
222
  error_message: "Use goog.dom functions with goog.dom.TagName.IFRAME to create <iframe> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
223

224
  value: "iframe"
225

226
  allowlist_regexp: ".+/closure/goog/async/nexttick.js"
227
}
228

229
requirement: {
230
  rule_id: "closure:untypedFrame"
231
  type: CUSTOM
232
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
233
  error_message: "Use goog.dom functions with goog.dom.TagName.FRAME to create <frame> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
234

235
  value: "frame"
236
}
237

238
requirement: {
239
  rule_id: "closure:untypedObject"
240
  type: CUSTOM
241
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
242
  error_message: "Use goog.dom functions with goog.dom.TagName.OBJECT to create <object> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
243

244
  value: "object"
245
}
246

247
requirement: {
248
  rule_id: "closure:untypedEmbed"
249
  type: CUSTOM
250
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
251
  error_message: "Use goog.dom functions with goog.dom.TagName.EMBED to create <embed> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
252

253
  value: "embed"
254
}
255

256
requirement: {
257
  rule_id: 'closure:scriptContentProperty'
258
  type: BANNED_PROPERTY_WRITE
259
  error_message: 'Setting content of <script> and then appending it to the document has the same effect as calling eval(). See https://google.github.io/closure-library/develop/conformance_rules.html#scriptContent'
260
  # We ban untyped script creation by closure:untypedScript.
261
  report_loose_type_violations: false
262

263
  value: 'HTMLScriptElement.prototype.innerHTML'
264
  value: 'HTMLScriptElement.prototype.text'
265
  value: 'HTMLScriptElement.prototype.textContent'
266

267
  allowlist_regexp: '.+/closure/goog/base.js'
268
  allowlist_regexp: '.+/closure/goog/dom/safe.js'
269
}
270

271
requirement: {
272
  rule_id: 'closure:scriptContentMethod'
273
  type: BANNED_PROPERTY
274
  error_message: 'Setting content of <script> and then appending it to the document has the same effect as calling eval(). See https://google.github.io/closure-library/develop/conformance_rules.html#scriptContent'
275
  # We ban untyped script creation by closure:untypedScript.
276
  report_loose_type_violations: false
277

278
  value: 'HTMLScriptElement.prototype.appendChild'
279

280
  allowlist_regexp: '.+/closure/goog/base.js'
281
}
282

283
#### DOM properties and functions which accept URLs ####
284

285
# One rule per property name that exists for several types (e.g. href).
286
# Property names that exist for a single type (e.g. manifest) all
287
# share a single rule.
288
# Types with several dangerous properties and functions have their own rule
289
# (e.g. Location). This rule does not include any of its properties which are
290
# shared with other types (e.g. Location.prototype.href).
291
#
292
# For property names that exist on several types (e.g. href), the matching
293
# is done for their shared super type, even if the super type itself does not
294
# have the property. For example, Element does not have the href property, but
295
# many of its subtypes have. It's also necessary to match on Element for
296
# properties that exist on Element's subtypes because document.createElement()
297
# returns Element; matching on its subtypes only would miss many writes to the
298
# property.
299

300
# TODO(mlourenco): Create locationType rule banning protocol, assign()
301
# and replace() of Location.
302

303
# TODO(mlourenco): Move to "hrefProperty".
304
requirement: {
305
  rule_id: 'closure:locationHref'
306
  type: BANNED_PROPERTY_NON_CONSTANT_WRITE
307
  error_message: 'Assignment to Location.prototype.href is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#location'
308

309
  value: 'Location.prototype.href'
310

311
  allowlist_regexp: '.+/closure/goog/dom/safe.js'
312

313
  # The following allowlist entries are due to usages of .href that still
314
  # need to be refactored or reviewed. See http://b/12014412.
315
  allowlist_regexp: '.+/closure/goog/history/history.js'
316
}
317

318
# TODO(mlourenco): Rename to "locationProperty". Add Document.location to it.
319
requirement: {
320
  rule_id: 'closure:location'
321
  type: BANNED_PROPERTY_NON_CONSTANT_WRITE
322
  error_message: 'Assignment to Window.prototype.location is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#location'
323

324
  value: 'Window.prototype.location'
325
}
326

327
# TODO(user): Rename hrefProperty.
328
requirement: {
329
  rule_id: 'closure:href'
330
  type: BANNED_PROPERTY_NON_CONSTANT_WRITE
331
  error_message: 'Assignment to .href property of Anchor, Link, etc elements, is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#href'
332

333
  # Many subtypes of Element have an href property.
334
  value: 'Element.prototype.href'
335
  # These are not subtypes of Element.
336
  value: 'StyleSheet.prototype.href'
337
  value: 'CSSImportRule.prototype.href'
338

339
  # Safe wrapper for this property.
340
  allowlist_regexp: '.+/closure/goog/dom/safe.js'
341
  # The following allowlist entries are due to usages of .href that still
342
  # need to be refactored or reviewed. See http://b/12014412.
343
  allowlist_regexp: '.+/closure/goog/editor/plugins/linkdialogplugin.js'
344
  allowlist_regexp: '.+/closure/goog/testing/testrunner.js'
345
  # This use has previously been refactored away, but had to be rolled
346
  # back due to breakages in gmail, see http://b/13727806.
347
  # This use may actually be safe because it only assigns to .href in
348
  # the context of a contenteditable. To be further reviewed.
349
  allowlist_regexp: '.+/closure/goog/editor/link.js'
350
}
351

352
# TODO(mlourenco): Move src to "srcProperty", others to "otherProperties". Ban
353
# "src" and other properties at "Element", so that elements returned by
354
# document.createElement() are captured.
355
requirement: {
356
  rule_id: "closure:trustedResourceUrlProperties"
357
  type: BANNED_PROPERTY_NON_CONSTANT_WRITE
358
  error_message: "Assignment to property requires a TrustedResourceUrl via goog.dom.safe. See https://google.github.io/closure-library/develop/conformance_rules.html#trustedResourceUrl"
359
  report_loose_type_violations: false
360

361
  # Properties which can only be assigned to from a TrustedResourceUrl.
362
  value: "HTMLElement.prototype.manifest"
363
  value: 'HTMLEmbedElement.prototype.src'
364
  value: 'HTMLFrameElement.prototype.src'
365
  value: 'HTMLIFrameElement.prototype.src'
366
  # For HTMLLinkElement both href and rel have to be assigned at the same time.
367
  value: "HTMLLinkElement.prototype.rel"
368
  # TODO(mlourenco): We probably want an "objectType" rule instead since
369
  # there are a bunch of dangerous properties.
370
  value: "HTMLObjectElement.prototype.data"
371
  value: 'HTMLScriptElement.prototype.src'
372
  # TODO(mlourenco): Ban other dangerous properties (archive, classid, etc).
373

374
  # Closure's debug loader.
375
  allowlist_regexp: '.+/closure/goog/base.js'
376
  # Safe wrapper for this property.
377
  allowlist_regexp: ".+/closure/goog/dom/safe.js"
378
  # The following allowlist entries are due to assignments from string that
379
  # still need to be refactored or reviewed. See http://b/12014412.
380
  allowlist_regexp: '.+/closure/goog/net/crossdomainrpc.js'
381
  allowlist_regexp: '.+/closure/goog/net/xpc/'
382
  allowlist_regexp: '.+/closure/goog/testing/multitestrunner.js'
383
  allowlist_regexp: '.+/closure/goog/ui/dragdropdetector.js'
384
}
385

386
requirement: {
387
  rule_id: "closure:createDom"
388
  type: CUSTOM
389
  java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateDom"
390
  error_message: "Assigning a string to a dangerous property via createDom is forbidden. See https://google.github.io/closure-library/develop/conformance_rules.html#createDom"
391

392
  value: "embed.src"
393
  value: "frame.src"
394
  value: "html.manifest"
395
  value: "iframe.src"
396
  value: "object.data"
397
  value: "script.src"
398
  value: "script.text"
399
  value: "script.textContent"
400
  value: "track.src"
401
  value: '*.href'
402
  value: '*.innerHTML'
403
  value: '*.outerHTML'
404

405
  allowlist_regexp: ".+/closure/tweak/tweakui.js"  # False positive - missing type on containerNodeName. MOE:strip_line
406
  allowlist_regexp: '.+/closure/goog/tweak/tweakui.js' # False positive - missing type on containerNodeName.
407

408
  # TODO(jakubvrana): Ban this.
409
  allowlist_regexp: '.+/closure/goog/ui/abstractspellchecker.js'
410
}
411

412
#### Closure functions which use goog.html.legacyconversions ####
413

414
# These are functions which accept a string and then use
415
# goog.html.legacyconversions to convert the string into SafeHtml. They
416
# are not XSS-safe.
417
#
418
# These rules allow projects to have compile-time errors for legacyconversions
419
# functions and to progressively move away from them by using the allowlist.
420

421

422
Product

Resources

Company
