Add support for mandatory_oneof and mandatory_anyof attribute constraints

[westonruter]

Feature description

Someone had a <iframe src="about:blank"> in a post on https://wordpress.org/support/topic/google-console-error/#post-9946202

This is resulting in an <amp-iframe> being rendered but without a src attribute. The result is in valid AMP because src is mandatory.

The whitelist sanitizer should be removing the <amp-iframe> in this case I should think. But otherwise, the iframe sanitizer itself can preemptively remove the iframe to ensure validity. Perhaps a placeholder could be put there in its place.

---

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

1. The iframe sanitizer should preemptively remove the iframe to ensure validity
2. When <iframe src="about:blank">is in a post the whitelist sanitizer should be removing the <amp-iframe>

Implementation brief

QA testing instructions

Demo

Changelog entry

[westonruter]

This will be fixed by implementing support for mandatory_oneof: https://github.com/ampproject/amphtml/blob/2db6d704364343057dbdbb1e2347973a54faae94/validator/validator-main.protoascii#L1508

See:

https://github.com/Automattic/amp-wp/blob/79b8b839f1922d3ccaddc36cf3ffddfc1a94f207/includes/sanitizers/class-amp-tag-and-attribute-sanitizer.php#L23-L24

[westonruter]

This has come up again: https://wordpress.org/support/topic/how-to-add-allow-presentation-attribute-to-amp-iframe/

[westonruter]

This came up yet again, but for a different reason: https://wordpress.org/support/topic/the-tag-iframe-is-missing-a-mandatory-attribute/

[westonruter]

amp-script has mandatory_anyof (as of #3003):

  attrs: {
    name: "script"
    mandatory_anyof: "['script', 'src']"
  }
  attrs: {
    name: "src"
    mandatory_anyof: "['script', 'src']"
    value_url: {
      protocol: "https"
      allow_relative: false
    }
    blacklisted_value_regex: "__amp_source_origin"
  }

Compare with amp-iframe which has mandatory_oneof:

  attrs: {
    name: "src"
    mandatory_oneof: "['src', 'srcdoc']"
    value_url: {
      protocol: "data"
      protocol: "https"
      allow_relative: true  # Will be set to false at a future date.
    }
    blacklisted_value_regex: "__amp_source_origin"
  }

Neither of these constraints are being applied currently.

Per @choumx, “mandatory_oneof requires that exactly one attribute is present”. This makes sense as amp-iframe allows for both src and srcdoc since not all browsers support the latter.

[dreamofabear]

Good catch that amp-script should use mandatory_oneof.

[westonruter]

@choumx Should it? I thought this made sense because amp-script should be configured to use a script either in an external location (via src attribute) or locally (via script attribute pointing to a script[type=text/plain]). No?

[dreamofabear]

Correct, so an amp-script that has both src and script should be invalid. Which is what mandatory_oneof enforces.

[westonruter]

So then should amp-iframe actually use mandatory_anyof because both src and srcdoc should be allowed? Per MDN:

So this should be valid AMP:

<amp-iframe 
    width="640" 
    height="480" 
    layout="responsive" 
    src="https://example.com"
    srcdoc="&lt;!doctype html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Example Domain&lt;/title&gt; &lt;meta charset=&quot;utf-8&quot; /&gt; &lt;meta http-equiv=&quot;Content-type&quot; content=&quot;text/html; charset=utf-8&quot; /&gt; &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1&quot; /&gt; &lt;style type=&quot;text/css&quot;&gt; body { background-color: #f0f0f2; margin: 0; padding: 0; font-family: &quot;Open Sans&quot;, &quot;Helvetica Neue&quot;, Helvetica, Arial, sans-serif; } div { width: 600px; margin: 5em auto; padding: 50px; background-color: #fff; border-radius: 1em; } a:link, a:visited { color: #38488f; text-decoration: none; } @media (max-width: 700px) { body { background-color: #fff; } div { width: auto; margin: 0 auto; border-radius: 0; padding: 1em; } } &lt;/style&gt; &lt;/head&gt; &lt;body&gt; &lt;div&gt; &lt;h1&gt;Example Domain&lt;/h1&gt; &lt;p&gt;This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.&lt;/p&gt; &lt;p&gt;&lt;a href=&quot;http://www.iana.org/domains/example&quot;&gt;More information...&lt;/a&gt;&lt;/p&gt; &lt;/div&gt; &lt;/body&gt; &lt;/html&gt;"
    >
  <span placeholder>...</span>
</amp-iframe>

But it is not.