Bug 1947732 - Provide nsIPrincipal to GetTrustedTypesCompliantString. r=smaug

Differential Revision: https://phabricator.services.mozilla.com/D246424

dom/base/DOMParser.cpp

@@ -101,7 +101,8 @@ already_AddRefed<Document> DOMParser::ParseFromStringInternal(
 }
 
 already_AddRefed<Document> DOMParser::ParseFromString(
-    const TrustedHTMLOrString& aStr, SupportedType aType, ErrorResult& aRv) {
+    const TrustedHTMLOrString& aStr, SupportedType aType,
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv) {
   constexpr nsLiteralString sink = u"DOMParser parseFromString"_ns;
 
   MOZ_ASSERT(mOwner);
@@ -110,7 +111,7 @@ already_AddRefed<Document> DOMParser::ParseFromString(
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aStr, sink, kTrustedTypesOnlySinkGroup, *pinnedOwner,
-          compliantStringHolder, aRv);
+          aSubjectPrincipal, compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return nullptr;
   }

dom/base/DOMParser.h

@@ -15,6 +15,7 @@
 #include "mozilla/dom/TypedArray.h"
 
 class nsIGlobalObject;
+class nsIPrincipal;
 
 namespace mozilla {
 class ErrorResult;
@@ -41,7 +42,8 @@ class DOMParser final : public nsISupports, public nsWrapperCache {
                                                      ErrorResult& aRv);
 
   MOZ_CAN_RUN_SCRIPT already_AddRefed<Document> ParseFromString(
-      const TrustedHTMLOrString& aStr, SupportedType aType, ErrorResult& aRv);
+      const TrustedHTMLOrString& aStr, SupportedType aType,
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv);
 
   // Chrome and UI Widgets API
   already_AddRefed<Document> ParseFromSafeString(const nsAString& aStr,

dom/base/Document.cpp

@@ -5206,6 +5206,7 @@ void Document::EnsureInitializeInternalCommandDataHashtable() {
 Document::InternalCommandData Document::ConvertToInternalCommand(
     const nsAString& aHTMLCommandName,
     const TrustedHTMLOrString* aValue /* = nullptr */,
+    nsIPrincipal* aSubjectPrincipal /* = nullptr */,
     ErrorResult* aRv /* = nullptr */,
     nsAString* aAdjustedValue /* = nullptr */) {
   MOZ_ASSERT(!aAdjustedValue || aAdjustedValue->IsEmpty());
@@ -5244,8 +5245,8 @@ Document::InternalCommandData Document::ConvertToInternalCommand(
   if (commandData.mCommand == Command::InsertHTML) {
     constexpr nsLiteralString sink = u"Document execCommand"_ns;
     compliantString = TrustedTypeUtils::GetTrustedTypesCompliantString(
-        *aValue, sink, kTrustedTypesOnlySinkGroup, *this, compliantStringHolder,
+        *aValue, sink, kTrustedTypesOnlySinkGroup, *this, aSubjectPrincipal,
-        *aRv);
+        compliantStringHolder, *aRv);
     if (aRv->Failed()) {
       return InternalCommandData();
     }
@@ -5586,8 +5587,8 @@ bool Document::ExecCommand(const nsAString& aHTMLCommandName, bool aShowUI,
   //  this might add some ugly JS dependencies?
 
   nsAutoString adjustedValue;
-  InternalCommandData commandData =
+  InternalCommandData commandData = ConvertToInternalCommand(
-      ConvertToInternalCommand(aHTMLCommandName, &aValue, &aRv, &adjustedValue);
+      aHTMLCommandName, &aValue, &aSubjectPrincipal, &aRv, &adjustedValue);
   switch (commandData.mCommand) {
     case Command::DoNothing:
       return false;
@@ -20202,13 +20203,13 @@ static already_AddRefed<Document> CreateHTMLDocument(GlobalObject& aGlobal,
 /* static */
 already_AddRefed<Document> Document::ParseHTMLUnsafe(
     GlobalObject& aGlobal, const TrustedHTMLOrString& aHTML,
-    ErrorResult& aError) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(aGlobal.GetAsSupports());
   constexpr nsLiteralString sink = u"Document parseHTMLUnsafe"_ns;
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aHTML, sink, kTrustedTypesOnlySinkGroup, *global,
+          aHTML, sink, kTrustedTypesOnlySinkGroup, *global, aSubjectPrincipal,
           compliantStringHolder, aError);
   if (aError.Failed()) {
     return nullptr;

dom/base/Document.h

@@ -4499,6 +4499,7 @@ class Document : public nsINode,
    *                            execCommand().
    * @param aValue              The value which is set to the 3rd parameter
    *                            of execCommand().
+   * @param aSubjectPrincipal   Principal used for execCommand().
    * @param aRv                 ErrorResult used for Trusted Type conversion.
    * @param aAdjustedValue      [out] Must be empty string if set non-nullptr.
    *                            Will be set to adjusted value for executing
@@ -4514,7 +4515,8 @@ class Document : public nsINode,
    */
   MOZ_CAN_RUN_SCRIPT InternalCommandData ConvertToInternalCommand(
       const nsAString& aHTMLCommandName,
-      const TrustedHTMLOrString* aValue = nullptr, ErrorResult* aRv = nullptr,
+      const TrustedHTMLOrString* aValue = nullptr,
+      nsIPrincipal* aSubjectPrincipal = nullptr, ErrorResult* aRv = nullptr,
       nsAString* aAdjustedValue = nullptr);
 
   /**
@@ -5583,7 +5585,7 @@ class Document : public nsINode,
 
   MOZ_CAN_RUN_SCRIPT static already_AddRefed<Document> ParseHTMLUnsafe(
       GlobalObject& aGlobal, const TrustedHTMLOrString& aHTML,
-      ErrorResult& aError);
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aError);
 
   static already_AddRefed<Document> ParseHTML(GlobalObject& aGlobal,
                                               const nsAString& aHTML,

dom/base/Element.cpp

@@ -4327,7 +4327,7 @@ void Element::SetInnerHTML(const TrustedHTMLOrNullIsEmptyString& aInnerHTML,
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aInnerHTML, sink, kTrustedTypesOnlySinkGroup, *this,
-          compliantStringHolder, aError);
+          aSubjectPrincipal, compliantStringHolder, aError);
 
   if (aError.Failed()) {
     return;
@@ -4347,6 +4347,7 @@ void Element::GetOuterHTML(OwningTrustedHTMLOrNullIsEmptyString& aOuterHTML) {
 }
 
 void Element::SetOuterHTML(const TrustedHTMLOrNullIsEmptyString& aOuterHTML,
+                           nsIPrincipal* aSubjectPrincipal,
                            ErrorResult& aError) {
   constexpr nsLiteralString sink = u"Element outerHTML"_ns;
 
@@ -4354,7 +4355,7 @@ void Element::SetOuterHTML(const TrustedHTMLOrNullIsEmptyString& aOuterHTML,
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aOuterHTML, sink, kTrustedTypesOnlySinkGroup, *this,
-          compliantStringHolder, aError);
+          aSubjectPrincipal, compliantStringHolder, aError);
   if (aError.Failed()) {
     return;
   }
@@ -4416,14 +4417,14 @@ enum nsAdjacentPosition { eBeforeBegin, eAfterBegin, eBeforeEnd, eAfterEnd };
 
 void Element::InsertAdjacentHTML(
     const nsAString& aPosition, const TrustedHTMLOrString& aTrustedHTMLOrString,
-    ErrorResult& aError) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   constexpr nsLiteralString kSink = u"Element insertAdjacentHTML"_ns;
 
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aTrustedHTMLOrString, kSink, kTrustedTypesOnlySinkGroup, *this,
-          compliantStringHolder, aError);
+          aSubjectPrincipal, compliantStringHolder, aError);
 
   if (aError.Failed()) {
     return;
@@ -5485,9 +5486,10 @@ EditorBase* Element::GetExtantEditor() const {
 }
 
 void Element::SetHTMLUnsafe(const TrustedHTMLOrString& aHTML,
+                            nsIPrincipal* aSubjectPrincipal,
                             ErrorResult& aError) {
   nsContentUtils::SetHTMLUnsafe(this, this, aHTML, false /*aIsShadowRoot*/,
-                                aError);
+                                aSubjectPrincipal, aError);
 }
 
 // https://html.spec.whatwg.org/#event-beforematch

dom/base/Element.h

@@ -1668,11 +1668,13 @@ class Element : public FragmentOrElement {
   void GetOuterHTML(OwningTrustedHTMLOrNullIsEmptyString& aOuterHTML);
 
   MOZ_CAN_RUN_SCRIPT void SetOuterHTML(
-      const TrustedHTMLOrNullIsEmptyString& aOuterHTML, ErrorResult& aError);
+      const TrustedHTMLOrNullIsEmptyString& aOuterHTML,
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aError);
 
   MOZ_CAN_RUN_SCRIPT void InsertAdjacentHTML(
       const nsAString& aPosition,
-      const TrustedHTMLOrString& aTrustedHTMLOrString, ErrorResult& aError);
+      const TrustedHTMLOrString& aTrustedHTMLOrString,
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aError);
 
   void SetHTML(const nsAString& aInnerHTML, const SetHTMLOptions& aOptions,
                ErrorResult& aError);
@@ -2268,6 +2270,7 @@ class Element : public FragmentOrElement {
 
   MOZ_CAN_RUN_SCRIPT
   virtual void SetHTMLUnsafe(const TrustedHTMLOrString& aHTML,
+                             nsIPrincipal* aSubjectPrincipal,
                              ErrorResult& aError);
 
   MOZ_CAN_RUN_SCRIPT

dom/base/ShadowRoot.cpp

@@ -885,10 +885,11 @@ nsresult ShadowRoot::Clone(dom::NodeInfo* aNodeInfo, nsINode** aResult) const {
 }
 
 void ShadowRoot::SetHTMLUnsafe(const TrustedHTMLOrString& aHTML,
+                               nsIPrincipal* aSubjectPrincipal,
                                ErrorResult& aError) {
   RefPtr<Element> host = GetHost();
   nsContentUtils::SetHTMLUnsafe(this, host, aHTML, true /*aIsShadowRoot*/,
-                                aError);
+                                aSubjectPrincipal, aError);
 }
 
 void ShadowRoot::GetInnerHTML(
@@ -897,14 +898,15 @@ void ShadowRoot::GetInnerHTML(
 }
 
 MOZ_CAN_RUN_SCRIPT void ShadowRoot::SetInnerHTML(
-    const TrustedHTMLOrNullIsEmptyString& aInnerHTML, ErrorResult& aError) {
+    const TrustedHTMLOrNullIsEmptyString& aInnerHTML,
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   constexpr nsLiteralString sink = u"ShadowRoot innerHTML"_ns;
 
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aInnerHTML, sink, kTrustedTypesOnlySinkGroup, *this,
-          compliantStringHolder, aError);
+          aSubjectPrincipal, compliantStringHolder, aError);
   if (aError.Failed()) {
     return;
   }

dom/base/ShadowRoot.h

@@ -21,6 +21,7 @@
 
 class nsAtom;
 class nsIContent;
+class nsIPrincipal;
 
 namespace mozilla {
 
@@ -250,13 +251,15 @@ class ShadowRoot final : public DocumentFragment, public DocumentOrShadowRoot {
   }
 
   MOZ_CAN_RUN_SCRIPT
-  void SetHTMLUnsafe(const TrustedHTMLOrString& aHTML, ErrorResult& aError);
+  void SetHTMLUnsafe(const TrustedHTMLOrString& aHTML,
+                     nsIPrincipal* aSubjectPrincipal, ErrorResult& aError);
 
   // @param aInnerHTML will always be of type `NullIsEmptyString`.
   void GetInnerHTML(OwningTrustedHTMLOrNullIsEmptyString& aInnerHTML);
 
   MOZ_CAN_RUN_SCRIPT void SetInnerHTML(
-      const TrustedHTMLOrNullIsEmptyString& aInnerHTML, ErrorResult& aError);
+      const TrustedHTMLOrNullIsEmptyString& aInnerHTML,
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aError);
 
   void GetHTML(const GetHTMLOptions& aOptions, nsAString& aResult);
 

dom/base/nsContentUtils.cpp

@@ -5867,14 +5867,17 @@ uint32_t computeSanitizationFlags(nsIPrincipal* aPrincipal, int32_t aFlags) {
 void nsContentUtils::SetHTMLUnsafe(FragmentOrElement* aTarget,
                                    Element* aContext,
                                    const TrustedHTMLOrString& aSource,
-                                   bool aIsShadowRoot, ErrorResult& aError) {
+                                   bool aIsShadowRoot,
+                                   nsIPrincipal* aSubjectPrincipal,
+                                   ErrorResult& aError) {
   constexpr nsLiteralString elementSink = u"Element setHTMLUnsafe"_ns;
   constexpr nsLiteralString shadowRootSink = u"ShadowRoot setHTMLUnsafe"_ns;
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aSource, aIsShadowRoot ? shadowRootSink : elementSink,
-          kTrustedTypesOnlySinkGroup, *aContext, compliantStringHolder, aError);
+          kTrustedTypesOnlySinkGroup, *aContext, aSubjectPrincipal,
+          compliantStringHolder, aError);
   if (aError.Failed()) {
     return;
   }
@@ -9805,7 +9808,7 @@ static CheckedInt<uint32_t> ExtraSpaceNeededForAttrEncoding(
     switch (*c) {
       case '"':
       case '&':
-      case 0x00A0: // NO-BREAK SPACE
+      case 0x00A0:  // NO-BREAK SPACE
       case '<':
       case '>':
         ++numEncodedChars;
@@ -9826,7 +9829,8 @@ static CheckedInt<uint32_t> ExtraSpaceNeededForAttrEncoding(
   // & in it. We subtract 1 for the null terminator, then 1 more for the
   // existing character that will be replaced.
   constexpr uint32_t maxCharExtraSpace =
-      std::max({std::size("&quot;"), std::size("&amp;"), std::size("&nbsp;"), std::size("&lt;"), std::size("&gt;")}) -
+      std::max({std::size("&quot;"), std::size("&amp;"), std::size("&nbsp;"),
+                std::size("&lt;"), std::size("&gt;")}) -
       2;
   static_assert(maxCharExtraSpace < 100, "Possible underflow");
   return CheckedInt<uint32_t>(numEncodedChars) * maxCharExtraSpace;

dom/base/nsContentUtils.h

@@ -1895,7 +1895,8 @@ class nsContentUtils {
   static void SetHTMLUnsafe(mozilla::dom::FragmentOrElement* aTarget,
                             Element* aContext,
                             const mozilla::dom::TrustedHTMLOrString& aSource,
-                            bool aIsShadowRoot, mozilla::ErrorResult& aError);
+                            bool aIsShadowRoot, nsIPrincipal* aSubjectPrincipal,
+                            mozilla::ErrorResult& aError);
   /**
    * Invoke the fragment parsing algorithm (innerHTML) using the HTML parser.
    *

dom/base/nsGlobalWindowInner.cpp

@@ -6166,23 +6166,23 @@ nsGlobalWindowInner* nsGlobalWindowInner::InnerForSetTimeoutOrInterval(
 int32_t nsGlobalWindowInner::SetTimeout(
     JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
     int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-    ErrorResult& aError) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   return SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments, false,
-                              aError);
+                              aSubjectPrincipal, aError);
 }
 
 int32_t nsGlobalWindowInner::SetInterval(
     JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
     const int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-    ErrorResult& aError) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   return SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments, true,
-                              aError);
+                              aSubjectPrincipal, aError);
 }
 
 int32_t nsGlobalWindowInner::SetTimeoutOrInterval(
     JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
     int32_t aTimeout, const Sequence<JS::Value>& aArguments, bool aIsInterval,
-    ErrorResult& aError) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   nsGlobalWindowInner* inner = InnerForSetTimeoutOrInterval(aError);
   if (!inner) {
     return -1;
@@ -6191,7 +6191,8 @@ int32_t nsGlobalWindowInner::SetTimeoutOrInterval(
   if (inner != this) {
     RefPtr<nsGlobalWindowInner> innerRef(inner);
     return innerRef->SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments,
-                                          aIsInterval, aError);
+                                          aIsInterval, aSubjectPrincipal,
+                                          aError);
   }
 
   DebuggerNotificationDispatch(
@@ -6229,8 +6230,8 @@ int32_t nsGlobalWindowInner::SetTimeoutOrInterval(
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aHandler, aIsInterval ? sinkSetInterval : sinkSetTimeout,
-          kTrustedTypesOnlySinkGroup, *pinnedGlobal, compliantStringHolder,
+          kTrustedTypesOnlySinkGroup, *pinnedGlobal, aSubjectPrincipal,
-          aError);
+          compliantStringHolder, aError);
   if (aError.Failed()) {
     return 0;
   }

dom/base/nsGlobalWindowInner.h

@@ -721,7 +721,7 @@ class nsGlobalWindowInner final : public mozilla::dom::EventTarget,
       JSContext* aCx,
       const mozilla::dom::FunctionOrTrustedScriptOrString& aHandler,
       int32_t aTimeout, const mozilla::dom::Sequence<JS::Value>& /* unused */,
-      mozilla::ErrorResult& aError);
+      nsIPrincipal* aSubjectPrincipal, mozilla::ErrorResult& aError);
 
   MOZ_CAN_RUN_SCRIPT
   void ClearTimeout(int32_t aHandle);
@@ -732,7 +732,7 @@ class nsGlobalWindowInner final : public mozilla::dom::EventTarget,
       const mozilla::dom::FunctionOrTrustedScriptOrString& aHandler,
       const int32_t aTimeout,
       const mozilla::dom::Sequence<JS::Value>& /* unused */,
-      mozilla::ErrorResult& aError);
+      nsIPrincipal* aSubjectPrincipal, mozilla::ErrorResult& aError);
 
   MOZ_CAN_RUN_SCRIPT
   void ClearInterval(int32_t aHandle);
@@ -1081,7 +1081,8 @@ class nsGlobalWindowInner final : public mozilla::dom::EventTarget,
       JSContext* aCx,
       const mozilla::dom::FunctionOrTrustedScriptOrString& aHandler,
       int32_t aTimeout, const mozilla::dom::Sequence<JS::Value>& aArguments,
-      bool aIsInterval, mozilla::ErrorResult& aError);
+      bool aIsInterval, nsIPrincipal* aSubjectPrincipal,
+      mozilla::ErrorResult& aError);
 
   // Return true if |aTimeout| was cleared while its handler ran.
   MOZ_CAN_RUN_SCRIPT

dom/base/nsRange.cpp

@@ -2729,7 +2729,8 @@ already_AddRefed<DocumentFragment> nsRange::CreateContextualFragment(
 }
 
 already_AddRefed<DocumentFragment> nsRange::CreateContextualFragment(
-    const TrustedHTMLOrString& aFragment, ErrorResult& aRv) const {
+    const TrustedHTMLOrString& aFragment, nsIPrincipal* aSubjectPrincipal,
+    ErrorResult& aRv) const {
   if (!mIsPositioned) {
     aRv.Throw(NS_ERROR_FAILURE);
     return nullptr;
@@ -2741,7 +2742,7 @@ already_AddRefed<DocumentFragment> nsRange::CreateContextualFragment(
   nsCOMPtr<nsINode> node = mStart.GetContainer();
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aFragment, sink, kTrustedTypesOnlySinkGroup, *node,
+          aFragment, sink, kTrustedTypesOnlySinkGroup, *node, aSubjectPrincipal,
           compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return nullptr;

dom/base/nsRange.h

@@ -23,6 +23,8 @@
 #include "mozilla/RangeBoundary.h"
 #include "mozilla/RefPtr.h"
 
+class nsIPrincipal;
+
 namespace mozilla {
 class RectCallback;
 namespace dom {
@@ -216,6 +218,7 @@ class nsRange final : public mozilla::dom::AbstractRange,
       const nsAString& aString, ErrorResult& aError) const;
   MOZ_CAN_RUN_SCRIPT already_AddRefed<mozilla::dom::DocumentFragment>
   CreateContextualFragment(const mozilla::dom::TrustedHTMLOrString&,
+                           nsIPrincipal* aSubjectPrincipal,
                            ErrorResult& aError) const;
   already_AddRefed<mozilla::dom::DocumentFragment> CloneContents(
       ErrorResult& aErr);

dom/html/HTMLIFrameElement.cpp

@@ -392,13 +392,14 @@ void HTMLIFrameElement::GetSrcdoc(OwningTrustedHTMLOrString& aSrcdoc) {
 }
 
 void HTMLIFrameElement::SetSrcdoc(const TrustedHTMLOrString& aSrcdoc,
+                                  nsIPrincipal* aSubjectPrincipal,
                                   ErrorResult& aError) {
   constexpr nsLiteralString sink = u"HTMLIFrameElement srcdoc"_ns;
 
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aSrcdoc, sink, kTrustedTypesOnlySinkGroup, *this,
+          aSrcdoc, sink, kTrustedTypesOnlySinkGroup, *this, aSubjectPrincipal,
           compliantStringHolder, aError);
   if (aError.Failed()) {
     return;

dom/html/HTMLIFrameElement.h

@@ -65,6 +65,7 @@ class HTMLIFrameElement final : public nsGenericHTMLFrameElement {
   void GetSrcdoc(OwningTrustedHTMLOrString& aSrcdoc);
 
   MOZ_CAN_RUN_SCRIPT void SetSrcdoc(const TrustedHTMLOrString& aSrcdoc,
+                                    nsIPrincipal* aSubjectPrincipal,
                                     ErrorResult& aError);
 
   void GetName(DOMString& aName) { GetHTMLAttr(nsGkAtoms::name, aName); }

dom/html/HTMLScriptElement.cpp

@@ -165,13 +165,14 @@ void HTMLScriptElement::GetText(OwningTrustedScriptOrString& aValue,
 }
 
 void HTMLScriptElement::SetText(const TrustedScriptOrString& aValue,
+                                nsIPrincipal* aSubjectPrincipal,
                                 ErrorResult& aRv) {
   constexpr nsLiteralString sink = u"HTMLScriptElement text"_ns;
 
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aValue, sink, kTrustedTypesOnlySinkGroup, *this,
+          aValue, sink, kTrustedTypesOnlySinkGroup, *this, aSubjectPrincipal,
           compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return;
@@ -191,13 +192,14 @@ void HTMLScriptElement::GetInnerText(
 }
 
 void HTMLScriptElement::SetInnerText(
-    const TrustedScriptOrNullIsEmptyString& aValue, ErrorResult& aError) {
+    const TrustedScriptOrNullIsEmptyString& aValue,
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aError) {
   constexpr nsLiteralString sink = u"HTMLScriptElement innerText"_ns;
 
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aValue, sink, kTrustedTypesOnlySinkGroup, *this,
+          aValue, sink, kTrustedTypesOnlySinkGroup, *this, aSubjectPrincipal,
           compliantStringHolder, aError);
   if (aError.Failed()) {
     return;
@@ -226,7 +228,7 @@ void HTMLScriptElement::SetTrustedScriptOrStringTextContent(
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aTextContent.Value(), sink, kTrustedTypesOnlySinkGroup, *this,
-          compliantStringHolder, aError);
+          aSubjectPrincipal, compliantStringHolder, aError);
   if (aError.Failed()) {
     return;
   }
@@ -238,20 +240,20 @@ void HTMLScriptElement::GetSrc(OwningTrustedScriptURLOrString& aSrc) {
 }
 
 void HTMLScriptElement::SetSrc(const TrustedScriptURLOrString& aSrc,
-                               nsIPrincipal* aTriggeringPrincipal,
+                               nsIPrincipal* aSubjectPrincipal,
                                ErrorResult& aRv) {
   constexpr nsLiteralString sink = u"HTMLScriptElement src"_ns;
 
   Maybe<nsAutoString> compliantStringHolder;
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aSrc, sink, kTrustedTypesOnlySinkGroup, *this, compliantStringHolder,
+          aSrc, sink, kTrustedTypesOnlySinkGroup, *this, aSubjectPrincipal,
-          aRv);
+          compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return;
   }
 
-  SetHTMLAttr(nsGkAtoms::src, *compliantString, aTriggeringPrincipal, aRv);
+  SetHTMLAttr(nsGkAtoms::src, *compliantString, aSubjectPrincipal, aRv);
 }
 
 // variation of this code in SVGScriptElement - check if changes

dom/html/HTMLScriptElement.h

@@ -78,6 +78,7 @@ class HTMLScriptElement final : public nsGenericHTMLElement,
                                   ErrorResult& aRv) const;
 
   MOZ_CAN_RUN_SCRIPT void SetText(const TrustedScriptOrString& aValue,
+                                  nsIPrincipal* aSubjectPrincipal,
                                   ErrorResult& aRv);
 
   // @param aValue will always be of type `NullIsEmptyString`.
@@ -85,7 +86,8 @@ class HTMLScriptElement final : public nsGenericHTMLElement,
       OwningTrustedScriptOrNullIsEmptyString& aValue, ErrorResult& aError);
 
   MOZ_CAN_RUN_SCRIPT void SetInnerText(
-      const TrustedScriptOrNullIsEmptyString& aValue, ErrorResult& aError);
+      const TrustedScriptOrNullIsEmptyString& aValue,
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aError);
 
   // @param aTextContent will always be of type `String`.
   MOZ_CAN_RUN_SCRIPT void GetTrustedScriptOrStringTextContent(
@@ -112,7 +114,7 @@ class HTMLScriptElement final : public nsGenericHTMLElement,
   void GetSrc(OwningTrustedScriptURLOrString& aSrc);
 
   MOZ_CAN_RUN_SCRIPT void SetSrc(const TrustedScriptURLOrString& aSrc,
-                                 nsIPrincipal* aTriggeringPrincipal,
+                                 nsIPrincipal* aSubjectPrincipal,
                                  ErrorResult& aRv);
 
   void GetType(nsAString& aType) { GetHTMLAttr(nsGkAtoms::type, aType); }

dom/html/HTMLTemplateElement.cpp

@@ -103,10 +103,11 @@ bool HTMLTemplateElement::ParseAttribute(int32_t aNamespaceID,
 }
 
 void HTMLTemplateElement::SetHTMLUnsafe(const TrustedHTMLOrString& aHTML,
+                                        nsIPrincipal* aSubjectPrincipal,
                                         ErrorResult& aError) {
   RefPtr<DocumentFragment> content = mContent;
   nsContentUtils::SetHTMLUnsafe(content, this, aHTML, false /*aIsShadowRoot*/,
-                                aError);
+                                aSubjectPrincipal, aError);
 }
 
 }  // namespace mozilla::dom

dom/html/HTMLTemplateElement.h

@@ -74,6 +74,7 @@ class HTMLTemplateElement final : public nsGenericHTMLElement {
 
   MOZ_CAN_RUN_SCRIPT
   void SetHTMLUnsafe(const TrustedHTMLOrString& aHTML,
+                     nsIPrincipal* aSubjectPrincipal,
                      ErrorResult& aError) final;
 
  protected:

dom/security/trusted-types/TrustedTypeUtils.cpp

@@ -412,7 +412,8 @@ template <typename ExpectedType, typename TrustedTypeOrString,
 MOZ_CAN_RUN_SCRIPT inline const nsAString* GetTrustedTypesCompliantString(
     const TrustedTypeOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, NodeOrGlobalObject& aNodeOrGlobalObject,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError) {
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError) {
   MOZ_ASSERT(aSinkGroup == kTrustedTypesOnlySinkGroup);
   if (!StaticPrefs::dom_security_trusted_types_enabled()) {
     // A trusted type might've been created before the pref was set to `false`,
@@ -557,9 +558,11 @@ MOZ_CAN_RUN_SCRIPT inline const nsAString* GetTrustedTypesCompliantString(
   const nsAString* GetTrustedTypesCompliantString(                        \
       const _trustedTypeOrString& aInput, const nsAString& aSink,         \
       const nsAString& aSinkGroup, _nodeOrGlobalObject& aNodeOrGlobal,    \
-      Maybe<nsAutoString>& aResultHolder, ErrorResult& aError) {          \
+      nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder, \
+      ErrorResult& aError) {                                              \
     return GetTrustedTypesCompliantString<_expectedType>(                 \
-        aInput, aSink, aSinkGroup, aNodeOrGlobal, aResultHolder, aError); \
+        aInput, aSink, aSinkGroup, aNodeOrGlobal, aPrincipalOrNull,       \
+        aResultHolder, aError);                                           \
   }
 
 IMPL_GET_TRUSTED_TYPES_COMPLIANT_STRING(TrustedHTMLOrString, TrustedHTML,
@@ -589,7 +592,7 @@ GetTrustedTypesCompliantStringForTrustedHTML(const nsAString& aInput,
                                              Maybe<nsAutoString>& aResultHolder,
                                              ErrorResult& aError) {
   return GetTrustedTypesCompliantString<TrustedHTML>(
-      &aInput, aSink, aSinkGroup, aNode, aResultHolder, aError);
+      &aInput, aSink, aSinkGroup, aNode, nullptr, aResultHolder, aError);
 }
 
 MOZ_CAN_RUN_SCRIPT const nsAString*
@@ -598,7 +601,8 @@ GetTrustedTypesCompliantStringForTrustedScript(
     const nsAString& aSinkGroup, nsIGlobalObject& aGlobalObject,
     Maybe<nsAutoString>& aResultHolder, ErrorResult& aError) {
   return GetTrustedTypesCompliantString<TrustedScript>(
-      &aInput, aSink, aSinkGroup, aGlobalObject, aResultHolder, aError);
+      &aInput, aSink, aSinkGroup, aGlobalObject, nullptr, aResultHolder,
+      aError);
 }
 
 bool GetTrustedTypeDataForAttribute(const nsAtom* aElementName,
@@ -706,16 +710,16 @@ MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantAttributeValue(
   switch (expectedType) {
     case TrustedType::TrustedHTML:
       return GetTrustedTypesCompliantString<TrustedHTML>(
-          input, sink, kTrustedTypesOnlySinkGroup, aElement, aResultHolder,
+          input, sink, kTrustedTypesOnlySinkGroup, aElement, nullptr,
-          aError);
+          aResultHolder, aError);
     case TrustedType::TrustedScript:
       return GetTrustedTypesCompliantString<TrustedScript>(
-          input, sink, kTrustedTypesOnlySinkGroup, aElement, aResultHolder,
+          input, sink, kTrustedTypesOnlySinkGroup, aElement, nullptr,
-          aError);
+          aResultHolder, aError);
     case TrustedType::TrustedScriptURL:
       return GetTrustedTypesCompliantString<TrustedScriptURL>(
-          input, sink, kTrustedTypesOnlySinkGroup, aElement, aResultHolder,
+          input, sink, kTrustedTypesOnlySinkGroup, aElement, nullptr,
-          aError);
+          aResultHolder, aError);
   }
   MOZ_ASSERT_UNREACHABLE();
   return nullptr;

dom/security/trusted-types/TrustedTypeUtils.h

@@ -18,6 +18,7 @@
 #include "js/TypeDecls.h"
 
 class nsIContentSecurityPolicy;
+class nsIPrincipal;
 
 namespace mozilla {
 
@@ -70,39 +71,48 @@ nsString GetTrustedTypeName(TrustedType aTrustedType);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedHTMLOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, const nsINode& aNode,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedHTMLOrNullIsEmptyString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, const nsINode& aNode,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedHTMLOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, nsIGlobalObject& aGlobalObject,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedScriptOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, const nsINode& aNode,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedScriptOrNullIsEmptyString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, const nsINode& aNode,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const FunctionOrTrustedScriptOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, nsIGlobalObject& aGlobalObject,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedScriptURLOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, const nsINode& aNode,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const TrustedScriptURLOrUSVString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, nsIGlobalObject& aGlobalObject,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString* GetTrustedTypesCompliantString(
     const OwningTrustedScriptURLOrString& aInput, const nsAString& aSink,
     const nsAString& aSinkGroup, nsIGlobalObject& aGlobalObject,
-    Maybe<nsAutoString>& aResultHolder, ErrorResult& aError);
+    nsIPrincipal* aPrincipalOrNull, Maybe<nsAutoString>& aResultHolder,
+    ErrorResult& aError);
 MOZ_CAN_RUN_SCRIPT const nsAString*
 GetTrustedTypesCompliantStringForTrustedHTML(const nsAString& aInput,
                                              const nsAString& aSink,

dom/serviceworkers/ServiceWorkerContainer.cpp

@@ -166,7 +166,7 @@ JSObject* ServiceWorkerContainer::WrapObject(
 
 already_AddRefed<Promise> ServiceWorkerContainer::Register(
     const TrustedScriptURLOrUSVString& aScriptURL,
-    const RegistrationOptions& aOptions, const CallerType aCallerType,
+    const RegistrationOptions& aOptions, nsIPrincipal* aSubjectPrincipal,
     ErrorResult& aRv) {
   AUTO_PROFILER_MARKER_UNTYPED("SWC Register", DOM, {});
 
@@ -196,7 +196,7 @@ already_AddRefed<Promise> ServiceWorkerContainer::Register(
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aScriptURL, sink, kTrustedTypesOnlySinkGroup, *global,
-          compliantStringHolder, aRv);
+          aSubjectPrincipal, compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return nullptr;
   }

dom/serviceworkers/ServiceWorkerContainer.h

@@ -12,6 +12,7 @@
 #include "mozilla/dom/ServiceWorkerUtils.h"
 
 class nsIGlobalWindow;
+class nsIPrincipal;
 
 namespace mozilla::dom {
 
@@ -54,7 +55,7 @@ class ServiceWorkerContainer final : public DOMEventTargetHelper {
 
   MOZ_CAN_RUN_SCRIPT already_AddRefed<Promise> Register(
       const TrustedScriptURLOrUSVString& aScriptURL,
-      const RegistrationOptions& aOptions, const CallerType aCallerType,
+      const RegistrationOptions& aOptions, nsIPrincipal* aSubjectPrincipal,
       ErrorResult& aRv);
 
   already_AddRefed<ServiceWorker> GetController();

dom/svg/DOMSVGAnimatedString.h

@@ -10,6 +10,8 @@
 #include "mozilla/SVGAnimatedClassOrString.h"
 #include "mozilla/dom/SVGElement.h"
 
+class nsIPrincipal;
+
 namespace mozilla::dom {
 
 class OwningTrustedScriptURLOrString;
@@ -33,9 +35,10 @@ class DOMSVGAnimatedString final : public nsWrapperCache {
     mVal->GetBaseValue(aResult, mSVGElement);
   }
   MOZ_CAN_RUN_SCRIPT void SetBaseVal(const TrustedScriptURLOrString& aValue,
+                                     nsIPrincipal* aSubjectPrincipal,
                                      ErrorResult& aRv) {
     RefPtr<SVGElement> svgElement = mSVGElement;
-    mVal->SetBaseValue(aValue, svgElement, true, aRv);
+    mVal->SetBaseValue(aValue, svgElement, true, aSubjectPrincipal, aRv);
   }
   void GetAnimVal(nsAString& aResult) {
     mSVGElement->FlushAnimations();

dom/svg/SVGAnimatedClassOrString.cpp

@@ -35,7 +35,7 @@ void SVGAnimatedClassOrString::RemoveTearoff() {
 
 void SVGAnimatedClassOrString::SetBaseValue(
     const TrustedScriptURLOrString& aValue, SVGElement* aSVGElement,
-    bool aDoSetAttr, ErrorResult&) {
+    bool aDoSetAttr, nsIPrincipal*, ErrorResult&) {
   // The spec is not super explicit, but it makes sense to default to the
   // associated data value for TrustedScriptURL values.
   // https://github.com/w3c/svgwg/issues/961

dom/svg/SVGAnimatedClassOrString.h

@@ -10,6 +10,8 @@
 #include "nsStringFwd.h"
 #include "mozilla/AlreadyAddRefed.h"
 
+class nsIPrincipal;
+
 namespace mozilla {
 
 class ErrorResult;
@@ -31,7 +33,7 @@ class SVGAnimatedClassOrString {
                             bool aDoSetAttr) = 0;
   MOZ_CAN_RUN_SCRIPT virtual void SetBaseValue(
       const TrustedScriptURLOrString& aValue, SVGElement* aSVGElement,
-      bool aDoSetAttr, ErrorResult& aRv);
+      bool aDoSetAttr, nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv);
   virtual void GetBaseValue(nsAString& aValue,
                             const SVGElement* aSVGElement) const = 0;
   virtual void GetBaseValue(OwningTrustedScriptURLOrString& aValue,

dom/svg/SVGAnimatedString.cpp

@@ -98,7 +98,7 @@ nsresult SVGAnimatedString::SMILString::SetAnimValue(const SMILValue& aValue) {
 
 void SVGAnimatedScriptHrefString::SetBaseValue(
     const TrustedScriptURLOrString& aValue, SVGElement* aSVGElement,
-    bool aDoSetAttr, ErrorResult& aRv) {
+    bool aDoSetAttr, nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv) {
   // https://svgwg.org/svg2-draft/single-page.html#types-InterfaceSVGAnimatedString
   // See https://github.com/w3c/svgwg/pull/934
   MOZ_ASSERT(aSVGElement->IsSVGElement(nsGkAtoms::script));
@@ -108,7 +108,7 @@ void SVGAnimatedScriptHrefString::SetBaseValue(
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aValue, sink, kTrustedTypesOnlySinkGroup, *svgElement,
-          compliantStringHolder, aRv);
+          aSubjectPrincipal, compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return;
   }

dom/svg/SVGAnimatedString.h

@@ -41,9 +41,10 @@ class SVGAnimatedString : public SVGAnimatedClassOrString {
                     bool aDoSetAttr) override;
   MOZ_CAN_RUN_SCRIPT void SetBaseValue(const TrustedScriptURLOrString& aValue,
                                        SVGElement* aSVGElement, bool aDoSetAttr,
+                                       nsIPrincipal* aSubjectPrincipal,
                                        ErrorResult& aRv) override {
     SVGAnimatedClassOrString::SetBaseValue(aValue, aSVGElement, aDoSetAttr,
-                                           aRv);
+                                           aSubjectPrincipal, aRv);
   }
   void GetBaseValue(nsAString& aValue,
                     const SVGElement* aSVGElement) const override {
@@ -114,6 +115,7 @@ class SVGAnimatedScriptHrefString final : public SVGAnimatedString {
   using TrustedScriptURLOrString = dom::TrustedScriptURLOrString;
   MOZ_CAN_RUN_SCRIPT void SetBaseValue(const TrustedScriptURLOrString& aValue,
                                        SVGElement* aSVGElement, bool aDoSetAttr,
+                                       nsIPrincipal* aSubjectPrincipal,
                                        ErrorResult& aRv) override;
   SVGAnimatedScriptHrefString() = default;
 };

dom/webidl/DOMParser.webidl

@@ -23,7 +23,7 @@ interface DOMParser {
   [Throws]
   constructor();
 
-  [NewObject, Throws, UseCounter]
+  [NewObject, NeedsSubjectPrincipal=NonSystem, Throws, UseCounter]
   Document parseFromString((TrustedHTML or DOMString) str, SupportedType type);
 
   // Mozilla-specific stuff

dom/webidl/Document.webidl

@@ -122,7 +122,7 @@ interface Document : Node {
 
 // https://html.spec.whatwg.org/multipage/dom.html#the-document-object
 partial interface Document {
-  [Throws]
+  [Throws, NeedsSubjectPrincipal=NonSystem]
   static Document parseHTMLUnsafe((TrustedHTML or DOMString) html);
 
   [PutForwards=href, LegacyUnforgeable] readonly attribute Location? location;

dom/webidl/Element.webidl

@@ -262,9 +262,9 @@ partial interface Element {
 partial interface Element {
   [CEReactions, SetterNeedsSubjectPrincipal=NonSystem, Pure, SetterThrows, GetterCanOOM]
   attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
-  [CEReactions, Pure, SetterThrows]
+  [CEReactions, SetterNeedsSubjectPrincipal=NonSystem, Pure, SetterThrows]
   attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) outerHTML;
-  [CEReactions, Throws]
+  [CEReactions, NeedsSubjectPrincipal=NonSystem, Throws]
   undefined insertAdjacentHTML(DOMString position, (TrustedHTML or DOMString) text);
 };
 
@@ -406,7 +406,7 @@ dictionary GetHTMLOptions {
 partial interface Element {
   // https://html.spec.whatwg.org/#dom-element-sethtmlunsafe
   /* TODO: optional SetHTMLUnsafeOptions options = {} */
-  [Throws]
+  [NeedsSubjectPrincipal=NonSystem, Throws]
   undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
   DOMString getHTML(optional GetHTMLOptions options = {});
 };

dom/webidl/HTMLIFrameElement.webidl

@@ -19,7 +19,7 @@ interface HTMLIFrameElement : HTMLElement {
 
   [CEReactions, SetterNeedsSubjectPrincipal=NonSystem, SetterThrows, Pure]
            attribute DOMString src;
-  [CEReactions, SetterThrows, Pure]
+  [CEReactions, SetterNeedsSubjectPrincipal=NonSystem, SetterThrows, Pure]
            attribute (TrustedHTML or DOMString) srcdoc;
   [CEReactions, SetterThrows, Pure]
            attribute DOMString name;

dom/webidl/HTMLScriptElement.webidl

@@ -28,7 +28,7 @@ interface HTMLScriptElement : HTMLElement {
   attribute DOMString? crossOrigin;
   [CEReactions, SetterThrows]
   attribute DOMString referrerPolicy;
-  [CEReactions, Throws]
+  [CEReactions, SetterNeedsSubjectPrincipal=NonSystem, Throws]
   attribute (TrustedScript or DOMString) text;
   [Pref="dom.element.blocking.enabled", SameObject, PutForwards=value]
   readonly attribute DOMTokenList blocking;
@@ -54,7 +54,7 @@ partial interface HTMLScriptElement {
 
 // https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts
 partial interface HTMLScriptElement {
-  [CEReactions, Throws] attribute (TrustedScript or [LegacyNullToEmptyString] DOMString) innerText;
+  [CEReactions, SetterNeedsSubjectPrincipal=NonSystem, Throws] attribute (TrustedScript or [LegacyNullToEmptyString] DOMString) innerText;
   [CEReactions, SetterThrows, GetterCanOOM,
    SetterNeedsSubjectPrincipal=NonSystem, BinaryName="trustedScriptOrStringTextContent"] attribute (TrustedScript or DOMString)? textContent;
 };

dom/webidl/Range.webidl

@@ -75,7 +75,7 @@ interface Range : AbstractRange {
 
 // http://domparsing.spec.whatwg.org/#dom-range-createcontextualfragment
 partial interface Range {
-  [CEReactions, Throws, UseCounter]
+  [CEReactions, NeedsSubjectPrincipal=NonSystem, Throws, UseCounter]
   DocumentFragment createContextualFragment((TrustedHTML or DOMString) fragment);
 };
 

dom/webidl/SVGAnimatedString.webidl

@@ -12,6 +12,8 @@
 
 [Exposed=Window]
 interface SVGAnimatedString {
-  [SetterThrows] attribute (TrustedScriptURL or DOMString) baseVal;
+  [SetterThrows, SetterNeedsSubjectPrincipal=NonSystem]
+  attribute (TrustedScriptURL or DOMString) baseVal;
+
   readonly attribute DOMString animVal;
 };

dom/webidl/ServiceWorkerContainer.webidl

@@ -18,7 +18,7 @@ interface ServiceWorkerContainer : EventTarget {
   [Throws]
   readonly attribute Promise<ServiceWorkerRegistration> ready;
 
-  [NewObject, NeedsCallerType, Throws]
+  [NewObject, NeedsSubjectPrincipal=NonSystem, Throws]
   Promise<ServiceWorkerRegistration> register((TrustedScriptURL or USVString) scriptURL,
                                               optional RegistrationOptions options = {});
 

dom/webidl/ShadowRoot.webidl

@@ -34,7 +34,7 @@ interface ShadowRoot : DocumentFragment
   Element? getElementById(DOMString elementId);
 
   // https://w3c.github.io/DOM-Parsing/#the-innerhtml-mixin
-  [CEReactions, SetterThrows]
+  [CEReactions, SetterThrows, SetterNeedsSubjectPrincipal=NonSystem]
   attribute (TrustedHTML or [LegacyNullToEmptyString] DOMString) innerHTML;
 
   // When JS invokes importNode or createElement, the binding code needs to
@@ -59,7 +59,7 @@ interface ShadowRoot : DocumentFragment
 
 partial interface ShadowRoot {
   // https://html.spec.whatwg.org/#dom-shadowroot-sethtmlunsafe
-  [Throws]
+  [NeedsSubjectPrincipal=NonSystem, Throws]
   undefined setHTMLUnsafe((TrustedHTML or DOMString) html);
   DOMString getHTML(optional GetHTMLOptions options = {});
 };

dom/webidl/WindowOrWorkerGlobalScope.webidl

@@ -28,10 +28,10 @@ interface mixin WindowOrWorkerGlobalScope {
   DOMString atob(DOMString atob);
 
   // timers
-  [Throws]
+  [Throws, NeedsSubjectPrincipal=NonSystem]
   long setTimeout(TimerHandler handler, optional long timeout = 0, any... arguments);
   undefined clearTimeout(optional long handle = 0);
-  [Throws]
+  [Throws, NeedsSubjectPrincipal=NonSystem]
   long setInterval(TimerHandler handler, optional long timeout = 0, any... unused);
   undefined clearInterval(optional long handle = 0);
 

dom/workers/Worker.cpp

@@ -47,6 +47,9 @@ already_AddRefed<Worker> Worker::Constructor(
     return nullptr;
   }
 
+  // TODO(Bug 1963277) This doen't work for content scripts.
+  nsCOMPtr<nsIPrincipal> principal = aGlobal.GetSubjectPrincipal();
+
   // The spec only mentions Window and WorkerGlobalScope global objects, but
   // Gecko can actually call the constructor with other ones, so we just skip
   // trusted types handling in that case.
@@ -62,7 +65,7 @@ already_AddRefed<Worker> Worker::Constructor(
   if (performTrustedTypeConversion) {
     constexpr nsLiteralString sink = u"Worker constructor"_ns;
     compliantString = TrustedTypeUtils::GetTrustedTypesCompliantString(
-        aScriptURL, sink, kTrustedTypesOnlySinkGroup, *globalObject,
+        aScriptURL, sink, kTrustedTypesOnlySinkGroup, *globalObject, principal,
         compliantStringHolder, aRv);
     if (aRv.Failed()) {
       return nullptr;

dom/workers/WorkerScope.cpp

@@ -668,7 +668,7 @@ void WorkerGlobalScope::ImportScripts(
       const nsAString* compliantString =
           TrustedTypeUtils::GetTrustedTypesCompliantString(
               scriptURL, sink, kTrustedTypesOnlySinkGroup, *pinnedGlobal,
-              compliantStringHolder, aRv);
+              nullptr, compliantStringHolder, aRv);
       if (aRv.Failed()) {
         return;
       }
@@ -694,8 +694,9 @@ void WorkerGlobalScope::ImportScripts(
 int32_t WorkerGlobalScope::SetTimeout(
     JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
     const int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-    ErrorResult& aRv) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv) {
-  return SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments, false, aRv);
+  return SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments, false,
+                              aSubjectPrincipal, aRv);
 }
 
 void WorkerGlobalScope::ClearTimeout(int32_t aHandle) {
@@ -709,8 +710,9 @@ void WorkerGlobalScope::ClearTimeout(int32_t aHandle) {
 int32_t WorkerGlobalScope::SetInterval(
     JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
     const int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-    ErrorResult& aRv) {
+    nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv) {
-  return SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments, true, aRv);
+  return SetTimeoutOrInterval(aCx, aHandler, aTimeout, aArguments, true,
+                              aSubjectPrincipal, aRv);
 }
 
 void WorkerGlobalScope::ClearInterval(int32_t aHandle) {
@@ -724,7 +726,7 @@ void WorkerGlobalScope::ClearInterval(int32_t aHandle) {
 int32_t WorkerGlobalScope::SetTimeoutOrInterval(
     JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
     const int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-    bool aIsInterval, ErrorResult& aRv) {
+    bool aIsInterval, nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv) {
   AssertIsOnWorkerThread();
 
   DebuggerNotificationDispatch(
@@ -751,8 +753,8 @@ int32_t WorkerGlobalScope::SetTimeoutOrInterval(
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
           aHandler, aIsInterval ? sinkSetInterval : sinkSetTimeout,
-          kTrustedTypesOnlySinkGroup, *pinnedGlobal, compliantStringHolder,
+          kTrustedTypesOnlySinkGroup, *pinnedGlobal, aSubjectPrincipal,
-          aRv);
+          compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return 0;
   }

dom/workers/WorkerScope.h

@@ -369,7 +369,7 @@ class WorkerGlobalScope : public WorkerGlobalScopeBase {
   int32_t SetTimeout(JSContext* aCx,
                      const FunctionOrTrustedScriptOrString& aHandler,
                      int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-                     ErrorResult& aRv);
+                     nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv);
 
   MOZ_CAN_RUN_SCRIPT
   void ClearTimeout(int32_t aHandle);
@@ -378,7 +378,7 @@ class WorkerGlobalScope : public WorkerGlobalScopeBase {
   int32_t SetInterval(JSContext* aCx,
                       const FunctionOrTrustedScriptOrString& aHandler,
                       int32_t aTimeout, const Sequence<JS::Value>& aArguments,
-                      ErrorResult& aRv);
+                      nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv);
 
   MOZ_CAN_RUN_SCRIPT
   void ClearInterval(int32_t aHandle);
@@ -436,11 +436,10 @@ class WorkerGlobalScope : public WorkerGlobalScopeBase {
 
  private:
   MOZ_CAN_RUN_SCRIPT
-  int32_t SetTimeoutOrInterval(JSContext* aCx,
+  int32_t SetTimeoutOrInterval(
-                               const FunctionOrTrustedScriptOrString& aHandler,
+      JSContext* aCx, const FunctionOrTrustedScriptOrString& aHandler,
-                               int32_t aTimeout,
+      int32_t aTimeout, const Sequence<JS::Value>& aArguments, bool aIsInterval,
-                               const Sequence<JS::Value>& aArguments,
+      nsIPrincipal* aSubjectPrincipal, ErrorResult& aRv);
-                               bool aIsInterval, ErrorResult& aRv);
 
   RefPtr<Crypto> mCrypto;
   RefPtr<WorkerLocation> mLocation;

dom/workers/sharedworkers/SharedWorker.cpp

@@ -137,7 +137,7 @@ already_AddRefed<SharedWorker> SharedWorker::Constructor(
   nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(window);
   const nsAString* compliantString =
       TrustedTypeUtils::GetTrustedTypesCompliantString(
-          aScriptURL, sink, kTrustedTypesOnlySinkGroup, *global,
+          aScriptURL, sink, kTrustedTypesOnlySinkGroup, *global, principal,
           compliantStringHolder, aRv);
   if (aRv.Failed()) {
     return nullptr;