# Conformance users: # # DO NOT COPY PASTE THESE RULES. If you do, changes to Closure can break your # build and you also won't get new or improved rules. Instead use this file in # your project and extend the rules to disable them or to add their whitelists. ### Platform restrictions ### requirement: { rule_id: 'closure:callee' type: BANNED_PROPERTY error_message: 'Arguments.prototype.callee is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#callee' value: 'Arguments.prototype.callee' whitelist_regexp: '.+/closure/goog/debug/' # legacy stack trace support, etc # TODO(mlourenco): Fix this? Not sure if possible or not. whitelist_regexp: '.+/closure/goog/testing/stacktrace.js' } requirement: { rule_id: 'closure:expose' type: CUSTOM java_class: 'com.google.javascript.jscomp.ConformanceRules$BanExpose' error_message: '@expose is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#expose' } requirement: { rule_id: 'closure:throwOfNonErrorTypes' type: CUSTOM java_class: 'com.google.javascript.jscomp.ConformanceRules$BanThrowOfNonErrorTypes' error_message: 'Only Error or Error subclass objects may be thrown. See https://google.github.io/closure-library/develop/conformance_rules.html#throwOfNonErrorTypes' whitelist_regexp: '.+/closure/goog/storage/' # throws numbers as part of its api whitelist_regexp: '.+/closure/goog/testing/mock.js' # throws Object in $recordAndThrow } requirement: { rule_id: 'closure:globalVars' type: CUSTOM java_class: 'com.google.javascript.jscomp.ConformanceRules$BanGlobalVars' error_message: 'Global declarations are not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#globalVars' whitelist_regexp: '.+/closure/goog/base.js' # global 'goog' whitelist_regexp: '.+/closure/goog/labs/testing/' # global matchers, etc whitelist_regexp: '.+/closure/goog/locale/locale.js' # dumb api whitelist_regexp: '.+/closure/goog/testing/' # global assert methods, etc whitelist_regexp: '.+/closure/goog/tweak/testhelpers.js' # global values whitelist_regexp: '^Post.*_module$' # injected '_ModuleManager_initialize' } requirement: { rule_id: 'closure:unknownThis' type: CUSTOM java_class: 'com.google.javascript.jscomp.ConformanceRules$BanUnknownThis' error_message: 'References to "this" that are typed as "unknown" are not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#unknownThis' whitelist_regexp: '.+/closure/goog/base.js' whitelist_regexp: '.+/closure/goog/debug/errorhandler.js' whitelist_regexp: '.+/closure/goog/editor/plugins/linkbubble.js' whitelist_regexp: '.+/closure/goog/editor/plugins/linkdialogplugin.js' whitelist_regexp: '.+/closure/goog/functions/functions.js' whitelist_regexp: '.+/closure/goog/memoize/memoize.js' whitelist_regexp: '.+/closure/goog/pubsub/pubsub.js' whitelist_regexp: '.+/closure/goog/result/resultutil.js' whitelist_regexp: '.+/closure/goog/testing/' whitelist_regexp: '.+/closure/goog/ui/editor/bubble.js' whitelist_regexp: '.+/closure/goog/ui/editor/toolbarcontroller.js' } ### Browser tech requirements ### # This requirement is somewhat Google-specific: open-source Closure users that # don't use GAPI could reasonably ignore it depending on how they do messaging # in their app. requirement: { rule_id: 'closure:postMessage' type: BANNED_PROPERTY_CALL error_message: 'Window.prototype.postMessage is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#postMessage' value: 'Window.prototype.postMessage' # Known-safe common infrastructure. whitelist_regexp: '.+/closure/goog/async/nexttick.js' whitelist_regexp: '.+/closure/goog/net/xpc/nativemessagingtransport.js' # TODO(user): make sure this gets security reviewed (b/29333525). whitelist_regexp: '.+/closure/goog/messaging/portchannel.js' } ### Security: forbid DOM properties and functions which can cause XSS ### # These are properties and functions which might have safe wrappers under # goog.dom.safe. Two groups: properties and functions which accept # HTML/CSS/script-as-string, properties and function which accept URLs. #### DOM properties and functions which accept HTML/CSS/script-as-string ##### requirement: { rule_id: 'closure:eval' # TODO(jakubvrana): Change to BANNED_NAME_CALL after cl/154708486 lands. type: BANNED_NAME error_message: 'eval is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#eval' value: 'eval' value: 'execScript' value: 'goog.globalEval' whitelist_regexp: '.+/closure/goog/base.js' # goog.module loading in uncompiled code. whitelist_regexp: '.+/closure/goog/goog.js' # Forwards goog.globalEval whitelist_regexp: '.+/closure/goog/debug/errorhandler.js' # wraps setTimeout and similar functions whitelist_regexp: '.+/closure/goog/json/json.js' # used in goog.json.parse whitelist_regexp: '.+/closure/goog/module/loader.js' whitelist_regexp: '.+/closure/goog/module/moduleloader.js' } requirement: { rule_id: 'closure:windowEval' type: BANNED_PROPERTY_CALL error_message: 'window.eval is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#eval' value: 'Window.prototype.eval' value: 'Window.prototype.execScript' whitelist_regexp: '.+/closure/goog/base.js' # TODO(jakubvrana): To be investigated. whitelist_regexp: '.+/closure/goog/net/xpc/nixtransport.js' } requirement: { rule_id: 'closure:stringFunctionDefinition' type: RESTRICTED_NAME_CALL error_message: 'Function, setTimeout, setInterval and requestAnimationFrame are not allowed with string argument. See https://google.github.io/closure-library/develop/conformance_rules.html#eval' value: 'Function:function()' value: 'setTimeout:function(Function, ...?)' value: 'setInterval:function(Function, ...?)' value: 'requestAnimationFrame:function(Function, ...?)' } requirement: { rule_id: 'closure:windowStringFunctionDefinition' type: RESTRICTED_METHOD_CALL error_message: 'window.setTimeout, setInterval and requestAnimationFrame are not allowed with string argument. See https://google.github.io/closure-library/develop/conformance_rules.html#eval' value: 'Window.prototype.setTimeout:function(Function, ...?)' value: 'Window.prototype.setInterval:function(Function, ...?)' value: 'Window.prototype.requestAnimationFrame:function(Function, ...?)' } requirement: { rule_id: 'closure:innerHtml' type: BANNED_PROPERTY_NON_CONSTANT_WRITE error_message: 'Assignment to Element.prototype.innerHTML is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#innerHtml' value: 'Element.prototype.innerHTML' # Safe wrapper for this property. whitelist_regexp: '.+/closure/goog/dom/safe.js' # Safe DOM Tree Processor and HTML sanitizer, which use it safely in order to # have the browser parse an HTML string using an inert DOM. whitelist_regexp: '.+/closure/goog/html/sanitizer/htmlsanitizer.js' whitelist_regexp: '.+/closure/goog/html/sanitizer/safedomtreeprocessor.js' # Safely used in goog.string.unescapeEntitiesUsingDom_; the string assigned to # innerHTML is a single HTML entity. whitelist_regexp: '.+/closure/goog/string/string.js' # goog.soy.renderElement and renderAsElement. Safe if used with Strict Soy # templates. whitelist_regexp: '.+/closure/goog/soy/soy.js' whitelist_regexp: '.+/closure/goog/dom/browserrange/ierange.js' whitelist_regexp: '.+/closure/goog/editor/' whitelist_regexp: '.+/closure/goog/style/style.js' whitelist_regexp: '.+/closure/goog/testing/' } requirement: { rule_id: 'closure:outerHtml' type: BANNED_PROPERTY_NON_CONSTANT_WRITE error_message: 'Assignment to Element.prototype.outerHTML is not allowed. See https://google.github.io/closure-library/develop/conformance_rules.html#innerHtml' value: 'Element.prototype.outerHTML' # Safe wrapper for this property. whitelist_regexp: '.+/closure/goog/dom/safe.js' whitelist_regexp: '.+/closure/goog/editor/' } requirement: { rule_id: 'closure:documentWrite' type: BANNED_PROPERTY error_message: 'Using Document.prototype.write is not allowed. Use goog.dom.safe.documentWrite instead. See https://google.github.io/closure-library/develop/conformance_rules.html#documentWrite.' value: 'Document.prototype.write' value: 'Document.prototype.writeln' # These are safe. whitelist_regexp: '.+/closure/goog/async/nexttick.js' whitelist_regexp: '.+/closure/goog/base.js' whitelist_regexp: '.+/closure/goog/dom/safe.js' # TODO(jakubvrana): These need to be refactored. whitelist_regexp: '.+/closure/goog/editor/icontent.js' whitelist_regexp: '.+/closure/goog/testing/' } requirement: { rule_id: 'closure:untypedScript' type: CUSTOM java_class: 'com.google.javascript.jscomp.ConformanceRules$BanCreateElement' error_message: 'Use goog.dom functions with goog.dom.TagName.SCRIPT to create