# proto-file: third_party/java_src/jscomp/java/com/google/javascript/jscomp/conformance.proto
# proto-message: ConformanceConfig
# Conformance users:
#
# DO NOT COPY PASTE THESE RULES. If you do, changes to Closure can break your
# build and you also won't get new or improved rules. Instead use this file in
# your project and extend the rules to disable them or to add their allowlists.
### Platform restrictions ###
requirement: {
rule_id: "closure:callee"
type: BANNED_PROPERTY
error_message: "Arguments.prototype.callee is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#callee"
value: "Arguments.prototype.callee"
allowlist_regexp: ".+/closure/goog/debug/" # legacy stack trace support, etc
# TODO(mlourenco): Fix this? Not sure if possible or not.
allowlist_regexp: ".+/closure/goog/testing/stacktrace.js"
}
requirement: {
rule_id: "closure:throwOfNonErrorTypes"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanThrowOfNonErrorTypes"
error_message: "Only Error or Error subclass objects may be thrown. See https://google.github.io/closure-library/develop/conformance_rules.html#throwOfNonErrorTypes"
allowlist_regexp: ".+/closure/goog/storage/" # throws numbers as part of its api
allowlist_regexp: ".+/closure/goog/testing/mock.js" # throws Object in $recordAndThrow
}
requirement: {
rule_id: "closure:globalVars"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanGlobalVars"
error_message: "Global declarations are not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#globalVars"
allowlist_regexp: ".+/closure/goog/base.js" # global 'goog'
allowlist_regexp: ".+/closure/goog/labs/testing/" # global matchers, etc
allowlist_regexp: ".+/closure/goog/locale/locale.js" # dumb api
allowlist_regexp: ".+/closure/goog/testing/" # global assert methods, etc
allowlist_regexp: ".+/closure/goog/tweak/testhelpers.js" # global values
allowlist_regexp: "^Post-" # injected '_ModuleManager_initialize'
# Allowlist for global names
value: "CLOSURE_DEFINES" # Closure Compiler requires this to be a global var
}
requirement: {
rule_id: "closure:unknownThis"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanUnknownThis"
error_message: "References to \"this\" that are typed as \"unknown\" are not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#unknownThis"
allowlist_regexp: ".+/closure/goog/base.js"
allowlist_regexp: ".+/closure/goog/debug/errorhandler.js"
allowlist_regexp: ".+/closure/goog/editor/plugins/linkbubble.js"
allowlist_regexp: ".+/closure/goog/editor/plugins/linkdialogplugin.js"
allowlist_regexp: ".+/closure/goog/functions/functions.js"
allowlist_regexp: ".+/closure/goog/memoize/memoize.js"
allowlist_regexp: ".+/closure/goog/pubsub/pubsub.js"
allowlist_regexp: ".+/closure/goog/testing/"
allowlist_regexp: ".+/closure/goog/ui/editor/bubble.js"
allowlist_regexp: ".+/closure/goog/ui/editor/toolbarcontroller.js"
}
### Browser tech requirements ###
# This requirement is somewhat Google-specific: open-source Closure users that
# don't use GAPI could reasonably ignore it depending on how they do messaging
# in their app.
requirement: {
rule_id: "closure:postMessage"
type: BANNED_PROPERTY_CALL
error_message: "Window.prototype.postMessage is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#postMessage"
value: "Window.prototype.postMessage"
# Known-safe common infrastructure.
allowlist_regexp: ".+/closure/goog/async/nexttick.js"
allowlist_regexp: ".+/closure/goog/net/xpc/nativemessagingtransport.js"
# TODO(user): make sure this gets security reviewed (b/29333525).
allowlist_regexp: ".+/closure/goog/messaging/portchannel.js"
}
### Security: forbid DOM properties and functions which can cause XSS ###
# These are properties and functions which might have safe wrappers under
# goog.dom.safe. Two groups: properties and functions which accept
# HTML/CSS/script-as-string, properties and function which accept URLs.
#### DOM properties and functions which accept HTML/CSS/script-as-string #####
requirement: {
rule_id: 'closure:eval'
# TODO(jakubvrana): Change to BANNED_NAME_CALL after cl/154708486 lands.
type: BANNED_NAME
error_message: 'eval is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
value: 'eval'
value: 'execScript'
value: 'goog.globalEval'
allowlist_regexp: '.+/closure/goog/base.js' # goog.module loading in uncompiled code.
allowlist_regexp: '.+/closure/goog/goog.js' # Forwards goog.globalEval
allowlist_regexp: '.+/closure/goog/debug/errorhandler.js' # wraps setTimeout and similar functions
allowlist_regexp: '.+/closure/goog/json/json.js' # used in goog.json.parse
allowlist_regexp: '.+/closure/goog/module/loader.js'
allowlist_regexp: '.+/closure/goog/module/moduleloader.js'
}
requirement: {
rule_id: 'closure:windowEval'
type: BANNED_PROPERTY_CALL
error_message: 'window.eval is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
value: 'Window.prototype.eval'
value: 'Window.prototype.execScript'
allowlist_regexp: '.+/closure/goog/base.js'
# TODO(jakubvrana): To be investigated.
allowlist_regexp: '.+/closure/goog/net/xpc/nixtransport.js'
}
requirement: {
rule_id: 'closure:stringFunctionDefinition'
type: RESTRICTED_NAME_CALL
error_message: 'Function, setTimeout, setInterval and requestAnimationFrame are not allowed with string argument. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
value: 'Function:function()'
value: 'setTimeout:function(Function, ...?)'
value: 'setInterval:function(Function, ...?)'
value: 'requestAnimationFrame:function(Function, ...?)'
}
requirement: {
rule_id: 'closure:windowStringFunctionDefinition'
type: RESTRICTED_METHOD_CALL
error_message: 'window.setTimeout, setInterval and requestAnimationFrame are not allowed with string argument. See https://google.github.io/closure-library/develop/conformance_rules.html#eval'
value: 'Window.prototype.setTimeout:function(Function, ...?)'
value: 'Window.prototype.setInterval:function(Function, ...?)'
value: 'Window.prototype.requestAnimationFrame:function(Function, ...?)'
}
requirement: {
rule_id: 'closure:innerHtml'
type: BANNED_PROPERTY_NON_CONSTANT_WRITE
error_message: 'Assignment to Element.prototype.innerHTML is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#innerHtml'
value: 'Element.prototype.innerHTML'
# Safe wrapper for this property.
allowlist_regexp: '.+/closure/goog/dom/safe.js'
# Safe DOM Tree Processor and HTML sanitizer, which use it safely in order to
# have the browser parse an HTML string using an inert DOM.
allowlist_regexp: '.+/closure/goog/html/sanitizer/htmlsanitizer.js'
allowlist_regexp: '.+/closure/goog/html/sanitizer/safedomtreeprocessor.js'
# Safely used in goog.string.unescapeEntitiesUsingDom_; the string assigned to
# innerHTML is a single HTML entity.
allowlist_regexp: '.+/closure/goog/string/string.js'
# goog.soy.renderElement and renderAsElement. Safe if used with Strict Soy
# templates.
allowlist_regexp: '.+/closure/goog/soy/soy.js'
allowlist_regexp: '.+/closure/goog/dom/browserrange/ierange.js'
allowlist_regexp: '.+/closure/goog/editor/'
allowlist_regexp: '.+/closure/goog/style/style.js'
allowlist_regexp: '.+/closure/goog/testing/'
}
requirement: {
rule_id: 'closure:outerHtml'
type: BANNED_PROPERTY_NON_CONSTANT_WRITE
error_message: 'Assignment to Element.prototype.outerHTML is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#innerHtml'
value: 'Element.prototype.outerHTML'
# Safe wrapper for this property.
allowlist_regexp: '.+/closure/goog/dom/safe.js'
allowlist_regexp: '.+/closure/goog/editor/'
}
requirement: {
rule_id: 'closure:documentWrite'
type: BANNED_PROPERTY
error_message: 'Using Document.prototype.write is not allowed. Use goog.dom.safe.documentWrite instead. See https://google.github.io/closure-library/develop/conformance_rules.html#documentWrite.'
value: 'Document.prototype.write'
value: 'Document.prototype.writeln'
# These are safe.
allowlist_regexp: '.+/closure/goog/async/nexttick.js'
allowlist_regexp: '.+/closure/goog/base.js'
allowlist_regexp: '.+/closure/goog/dom/safe.js'
# TODO(jakubvrana): These need to be refactored.
allowlist_regexp: '.+/closure/goog/editor/icontent.js'
allowlist_regexp: '.+/closure/goog/testing/'
}
requirement: {
rule_id: "closure:untypedScript"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
error_message: "Use goog.dom functions with goog.dom.TagName.SCRIPT to create <script> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
value: "script"
allowlist_regexp: ".+/closure/goog/base.js"
}
requirement: {
rule_id: "closure:untypedIframe"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
error_message: "Use goog.dom functions with goog.dom.TagName.IFRAME to create <iframe> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
value: "iframe"
allowlist_regexp: ".+/closure/goog/async/nexttick.js"
}
requirement: {
rule_id: "closure:untypedFrame"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
error_message: "Use goog.dom functions with goog.dom.TagName.FRAME to create <frame> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
value: "frame"
}
requirement: {
rule_id: "closure:untypedObject"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
error_message: "Use goog.dom functions with goog.dom.TagName.OBJECT to create <object> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
value: "object"
}
requirement: {
rule_id: "closure:untypedEmbed"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateElement"
error_message: "Use goog.dom functions with goog.dom.TagName.EMBED to create <embed> elements. See https://google.github.io/closure-library/develop/conformance_rules.html#untypedElements"
value: "embed"
}
requirement: {
rule_id: 'closure:scriptContentProperty'
type: BANNED_PROPERTY_WRITE
error_message: 'Setting content of <script> and then appending it to the document has the same effect as calling eval(). See https://google.github.io/closure-library/develop/conformance_rules.html#scriptContent'
# We ban untyped script creation by closure:untypedScript.
report_loose_type_violations: false
value: 'HTMLScriptElement.prototype.innerHTML'
value: 'HTMLScriptElement.prototype.text'
value: 'HTMLScriptElement.prototype.textContent'
allowlist_regexp: '.+/closure/goog/base.js'
allowlist_regexp: '.+/closure/goog/dom/safe.js'
}
requirement: {
rule_id: 'closure:scriptContentMethod'
type: BANNED_PROPERTY
error_message: 'Setting content of <script> and then appending it to the document has the same effect as calling eval(). See https://google.github.io/closure-library/develop/conformance_rules.html#scriptContent'
# We ban untyped script creation by closure:untypedScript.
report_loose_type_violations: false
value: 'HTMLScriptElement.prototype.appendChild'
allowlist_regexp: '.+/closure/goog/base.js'
}
#### DOM properties and functions which accept URLs ####
# One rule per property name that exists for several types (e.g. href).
# Property names that exist for a single type (e.g. manifest) all
# share a single rule.
# Types with several dangerous properties and functions have their own rule
# (e.g. Location). This rule does not include any of its properties which are
# shared with other types (e.g. Location.prototype.href).
#
# For property names that exist on several types (e.g. href), the matching
# is done for their shared super type, even if the super type itself does not
# have the property. For example, Element does not have the href property, but
# many of its subtypes have. It's also necessary to match on Element for
# properties that exist on Element's subtypes because document.createElement()
# returns Element; matching on its subtypes only would miss many writes to the
# property.
# TODO(mlourenco): Create locationType rule banning protocol, assign()
# and replace() of Location.
# TODO(mlourenco): Move to "hrefProperty".
requirement: {
rule_id: 'closure:locationHref'
type: BANNED_PROPERTY_NON_CONSTANT_WRITE
error_message: 'Assignment to Location.prototype.href is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#location'
value: 'Location.prototype.href'
allowlist_regexp: '.+/closure/goog/dom/safe.js'
# The following allowlist entries are due to usages of .href that still
# need to be refactored or reviewed. See http://b/12014412.
allowlist_regexp: '.+/closure/goog/history/history.js'
}
# TODO(mlourenco): Rename to "locationProperty". Add Document.location to it.
requirement: {
rule_id: 'closure:location'
type: BANNED_PROPERTY_NON_CONSTANT_WRITE
error_message: 'Assignment to Window.prototype.location is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#location'
value: 'Window.prototype.location'
}
# TODO(user): Rename hrefProperty.
requirement: {
rule_id: 'closure:href'
type: BANNED_PROPERTY_NON_CONSTANT_WRITE
error_message: 'Assignment to .href property of Anchor, Link, etc elements, is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#href'
# Many subtypes of Element have an href property.
value: 'Element.prototype.href'
# These are not subtypes of Element.
value: 'StyleSheet.prototype.href'
value: 'CSSImportRule.prototype.href'
# Safe wrapper for this property.
allowlist_regexp: '.+/closure/goog/dom/safe.js'
# The following allowlist entries are due to usages of .href that still
# need to be refactored or reviewed. See http://b/12014412.
allowlist_regexp: '.+/closure/goog/editor/plugins/linkdialogplugin.js'
allowlist_regexp: '.+/closure/goog/testing/testrunner.js'
# This use has previously been refactored away, but had to be rolled
# back due to breakages in gmail, see http://b/13727806.
# This use may actually be safe because it only assigns to .href in
# the context of a contenteditable. To be further reviewed.
allowlist_regexp: '.+/closure/goog/editor/link.js'
}
# TODO(mlourenco): Move src to "srcProperty", others to "otherProperties". Ban
# "src" and other properties at "Element", so that elements returned by
# document.createElement() are captured.
requirement: {
rule_id: "closure:trustedResourceUrlProperties"
type: BANNED_PROPERTY_NON_CONSTANT_WRITE
error_message: "Assignment to property requires a TrustedResourceUrl via goog.dom.safe. See https://google.github.io/closure-library/develop/conformance_rules.html#trustedResourceUrl"
report_loose_type_violations: false
# Properties which can only be assigned to from a TrustedResourceUrl.
value: "HTMLElement.prototype.manifest"
value: 'HTMLEmbedElement.prototype.src'
value: 'HTMLFrameElement.prototype.src'
value: 'HTMLIFrameElement.prototype.src'
# For HTMLLinkElement both href and rel have to be assigned at the same time.
value: "HTMLLinkElement.prototype.rel"
# TODO(mlourenco): We probably want an "objectType" rule instead since
# there are a bunch of dangerous properties.
value: "HTMLObjectElement.prototype.data"
value: 'HTMLScriptElement.prototype.src'
# TODO(mlourenco): Ban other dangerous properties (archive, classid, etc).
# Closure's debug loader.
allowlist_regexp: '.+/closure/goog/base.js'
# Safe wrapper for this property.
allowlist_regexp: ".+/closure/goog/dom/safe.js"
# The following allowlist entries are due to assignments from string that
# still need to be refactored or reviewed. See http://b/12014412.
allowlist_regexp: '.+/closure/goog/net/crossdomainrpc.js'
allowlist_regexp: '.+/closure/goog/net/xpc/'
allowlist_regexp: '.+/closure/goog/testing/multitestrunner.js'
allowlist_regexp: '.+/closure/goog/ui/dragdropdetector.js'
}
requirement: {
rule_id: "closure:createDom"
type: CUSTOM
java_class: "com.google.javascript.jscomp.ConformanceRules$BanCreateDom"
error_message: "Assigning a string to a dangerous property via createDom is forbidden. See https://google.github.io/closure-library/develop/conformance_rules.html#createDom"
value: "embed.src"
value: "frame.src"
value: "html.manifest"
value: "iframe.src"
value: "object.data"
value: "script.src"
value: "script.text"
value: "script.textContent"
value: "track.src"
value: '*.href'
value: '*.innerHTML'
value: '*.outerHTML'
allowlist_regexp: ".+/closure/tweak/tweakui.js" # False positive - missing type on containerNodeName. MOE:strip_line
allowlist_regexp: '.+/closure/goog/tweak/tweakui.js' # False positive - missing type on containerNodeName.
# TODO(jakubvrana): Ban this.
allowlist_regexp: '.+/closure/goog/ui/abstractspellchecker.js'
}
#### Closure functions which use goog.html.legacyconversions ####
# These are functions which accept a string and then use
# goog.html.legacyconversions to convert the string into SafeHtml. They
# are not XSS-safe.
#
# These rules allow projects to have compile-time errors for legacyconversions
# functions and to progressively move away from them by using the allowlist.
### Closure library restrictions ###
requirement: {
rule_id: "closure:getLogger"
type: BANNED_NAME
error_message: "Use of goog.debug.Logger.getLogger is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#logger"
value: "goog.debug.Logger.getLogger"
allowlist_regexp: ".+/closure/goog/debug/"
allowlist_regexp: ".+/closure/goog/log/"
}
requirement: {
rule_id: "closure:logger"
type: BANNED_PROPERTY_CALL
error_message: "Direct use of goog.debug.Logger is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#logger"
value: "goog.debug.Logger.prototype.log"
value: "goog.debug.Logger.prototype.shout"
value: "goog.debug.Logger.prototype.severe"
value: "goog.debug.Logger.prototype.warning"
value: "goog.debug.Logger.prototype.info"
value: "goog.debug.Logger.prototype.config"
value: "goog.debug.Logger.prototype.fine"
value: "goog.debug.Logger.prototype.finer"
value: "goog.debug.Logger.prototype.finest"
value: "goog.debug.Logger.prototype.logRecord"
value: "goog.debug.Logger.prototype.getName"
value: "goog.debug.Logger.prototype.addHandler"
value: "goog.debug.Logger.prototype.removeHandler"
value: "goog.debug.Logger.prototype.getParent"
value: "goog.debug.Logger.prototype.getChildren"
value: "goog.debug.Logger.prototype.getLevel"
value: "goog.debug.Logger.prototype.setLevel"
value: "goog.debug.Logger.prototype.getEffectiveLevel"
value: "goog.debug.Logger.prototype.isLoggable"
value: "goog.debug.Logger.prototype.getLogRecord"
allowlist_regexp: ".+/closure/goog/debug/"
allowlist_regexp: ".+/closure/goog/log/"
}
Codebase Browser
chromium