j$.isError_ is not compatible with Trusted Types

[bjarkler]

The isError_ function is used to identify JS objects that are instances of Error. A simple instanceof check does not capture errors that are constructed e.g. in a different window, but instead the function performs an overzealous heuristic in order to detect this, which involves invoking the Function constructor, passing the string 'return this'.

Trusted Types is a runtime security mechanism which applications can configure in order to restrict usage of security-sensitive DOM APIs. Passing a string to the Function constructor is security-sensitive, and thus blocked by browsers in applications that configure Trusted Types in enforcement mode.

While this mechanism is primarily useful for preventing XSS vulnerabilities in production applications, there is also great value in enforcing Trusted Types in unit tests in order to detect and prevent unexpected breakage when enforcing Trusted Types in those applications.

Expected Behavior

The isError_ detects instances of Error in a way that is compatible with Trusted Types. In particular, it should not call the Function constructor or eval.

Current Behavior

The function currently calls new Function('return this'), which constitutes a Trusted Types violation. The overzealous nature of the current heuristic has also caused other issues in the past (#1623).

Possible Solution

Since the current implementation is after all a heuristic, perhaps a simpler heuristic would suffice. One approach is described on a StackOverflow question, and could be implemented as follows:

j$.isError_ = function(value) {
  return value && value.stack && value.message &&
         typeof value.stack === 'string' &&
         typeof value.message === 'string';
};

Suite that reproduces the behavior (for bugs)

The following test suite needs to be run with Trusted Types enforced.

describe("isError_", function() {
  it("does not cause Trusted Types violations", function() {
    j$.isError_(new Error());
  });
});

To enforce Trusted Types when using Karma, specify the following in karma.conf.js:

module.exports = function(config) {
  config.set({
    customHeaders: [{
      match: ".*",
      name: "Content-Security-Policy",
      value: "trusted-types karma; require-trusted-types-for 'script';"
    }],
  });
};

Context

Angular recently added support for using Trusted Types. The present issue is currently blocking us from enforcing Trusted Types in Angular's test suite, which would help prevent regressions in Trusted Types support.

Your Environment

• Version used: 3.5.0
• Environment name and version: karma 4.4.0 running Chrome 87
• Link to your project: https://github.com/angular/angular

[sgravrock]

I support the idea of making Jasmine work with Trusted Types and I'd be happy to review a PR that does that without breaking anything in the process.

Here's the thing, though: it's not quite that easy to portably and correctly identify Error objects without resorting to something like what Jasmine currently does. The code in the possible solution above will return a false negative in at least these cases:

• On Internet Explorer and PhantomJS, an error's stack property isn't set until the error is thrown. This is likely a bigger problem for Jasmine than other software because we support failing a callback-based async spec by passing an error to the callback. Misidentifying errors as non-errors in that situation would cause specs to pass when they should have failed.
• On any platform, errors constructed with no message or the empty string will have a falsy message property.
• I haven't seen it for myself, but I've heard reports that the stack property is an array of objects rather than a string in some Node 11.x versions when run with --experimental-modules. (I'm not worried about this one since we don't support 11.x and Jasmine already doesn't work when stack is an array. I'm including it for completeness.)

So I think we'd need something a bit more robust than the code from that stackoverflow answer. We won't be able to assume that the stack property has a value until after we drop support for IE, and we probably can't ever assume that message is truthy.

[sgravrock]

Here are a few possible ways forward:

1. Drop support for IE, and also take the sting out of false negatives by treating any argument to a done callback as an error. Then it would probably be ok to make isError_ just check for the existence (not truthiness) of stack and message properties. This would be a pretty easy change but it would have to be done in the 4.0 release.
2. Add an off-by-default configuration setting that changes the behavior of isError_ and done callbacks as above. I'm not likely to implement this myself, but I'm willing to advise & review PRs if the Angular team wants to take it on.
3. Do both of the above.

I'm also open to other ideas.

So I guess the key questions are how long you're willing to wait for Trusted Types support, and whether you need a single version of Jasmine that supports both Trusted types and Internet Explorer. Option 2 above starts to make sense if the answers are anything other than "quite a while" and "no".

[bjarkler]

Hey Steve, thank you so much for looking into this and giving such a great summary of the issues and potential solutions. Angular will be dropping support for IE later this year, and getting Trusted Types support in our unit tests is not very time sensitive, so option 1 would probably work for us. Do you have an idea of when 4.0 is set to be released? I would be happy to take a stab at this and send a PR.

Just to drop one more potential solution into the mix; as a variation of option 1, instead of dropping support for IE we could feature-test for Trusted Types (check existence of window.trustedTypes), using the simpler existence (not truthiness, as you pointed out) check when Trusted Types are available. Currently this would only get triggered on Chromium-based browsers, and I doubt we'll have to worry about IE or PhantomJS supporting Trusted Types anytime soon. I'm not very familiar with the done callback but it sounds like we'd still want to change it to treat its argument as an error. Would that change still have to wait for the 4.0 release?

[sgravrock]

I didn't realize that Trusted Types availability was so narrow. An existence check for stack and error properties should be fine on Chromium-based browsers. (There's a very small risk of false positives, which I think we can live with, but I don't see any risk of false negatives.) I think it would be safe to include your proposed alternative solution in 3.x. That would get us through to 4.0, at which point we would hopefully be done with browsers that don't reliably set stack and could remove the old logic.

Your idea avoids the need to make changes to done callback param handling altogether, since the new isError_ logic would only run on browsers that reliably set stack.

We don't really have a good idea of when 4.0 will happen, and probably won't until we're pretty close to it. I'm aiming for sometime this winter but that's mostly just a guess at this point.