OLD | NEW |
---|---|
(Empty) | |
1 <!doctype html> | |
2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'repo rt-sample'; style-src 'self'; img-src 'none'"> | |
3 <script nonce="abc" src="/resources/testharness.js"></script> | |
4 <script nonce="abc" src="/resources/testharnessreport.js"></script> | |
5 <body> | |
6 <script nonce="abc"> | |
7 function waitForViolation(el) { | |
8 return new Promise(resolve => { | |
9 el.addEventListener('securitypolicyviolation', e => resolve(e)); | |
10 }); | |
11 } | |
12 | |
13 async_test(t => { | |
14 var s = document.createElement('script'); | |
15 s.innerText = "assert_unreached('inline script block')"; | |
16 | |
17 waitForViolation(s) | |
18 .then(t.step_func_done(e => { | |
19 assert_equals(e.blockedURI, "inline"); | |
20 assert_equals(e.sample, "assert_unreached('inline script block')"); | |
21 })); | |
22 | |
23 document.head.append(s); | |
24 }, "Inline script should have a sample."); | |
25 | |
26 async_test(t => { | |
27 var a = document.createElement("a"); | |
28 a.setAttribute("onclick", "assert_unreached('inline event handler')"); | |
29 | |
30 waitForViolation(a) | |
31 .then(t.step_func_done(e => { | |
32 assert_equals(e.blockedURI, "inline"); | |
33 assert_equals(e.sample, "assert_unreached('inline event handler')"); | |
Mike West
2017/02/22 14:54:00
lwe@: Hey, look, the thing you asked for is alread
| |
34 })); | |
35 | |
36 document.body.append(a); | |
37 a.click(); | |
38 }, "Inline event handlers should have a sample."); | |
39 | |
40 async_test(t => { | |
41 var i = document.createElement("iframe"); | |
42 i.src = "javascript:'inline url'"; | |
43 | |
44 waitForViolation(i) | |
45 .then(t.step_func_done(e => { | |
46 assert_equals(e.blockedURI, "inline"); | |
47 assert_equals(e.sample, "javascript:'inline url'"); | |
48 })); | |
49 | |
50 document.body.append(i); | |
51 }, "JavaScript URLs in iframes should have a sample."); | |
52 | |
53 async_test(t => { | |
54 document.addEventListener('securitypolicyviolation', t.step_func(e => { | |
55 if (e.blockedURI != "eval") | |
56 return; | |
57 | |
58 assert_equals(e.sample, ""); | |
59 t.done(); | |
60 })); | |
61 try { | |
62 eval("assert_unreached('eval')"); | |
63 assert_unreached('eval'); | |
64 } catch (e) { | |
65 } | |
66 }, "eval() should not have a sample."); | |
67 </script> | |
OLD | NEW |