OLD | NEW |
---|---|
(Empty) | |
1 <!doctype html> | |
2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'repo rt-sample'; style-src 'self'; img-src 'none'"> | |
3 <script nonce="abc" src="/resources/testharness.js"></script> | |
4 <script nonce="abc" src="/resources/testharnessreport.js"></script> | |
5 <body> | |
6 <script nonce="abc"> | |
7 function waitForViolation(el) { | |
8 return new Promise(resolve => { | |
9 el.addEventListener('securitypolicyviolation', e => resolve(e)); | |
10 }); | |
11 } | |
12 | |
13 async_test(t => { | |
14 var s = document.createElement('script'); | |
15 s.innerText = "assert_unreached('inline script block')"; | |
16 | |
17 waitForViolation(s) | |
18 .then(t.step_func_done(e => { | |
19 assert_equals(e.blockedURI, "inline"); | |
20 assert_equals(e.scriptSample, "assert_unreached('inline script block') "); | |
21 })); | |
22 | |
23 document.head.append(s); | |
24 }, "Inline script should have a script-sample."); | |
25 | |
26 async_test(t => { | |
27 var s = document.createElement('style'); | |
28 s.innerText = "p { omg: yay !important; }"; | |
29 | |
30 waitForViolation(s) | |
31 .then(t.step_func_done(e => { | |
32 assert_equals(e.blockedURI, "inline"); | |
33 assert_equals(e.scriptSample, ""); | |
34 })); | |
35 | |
36 document.head.append(s); | |
37 }, "Inline style blocks should not have a script-sample."); | |
38 | |
39 async_test(t => { | |
40 var a = document.createElement("a"); | |
41 a.setAttribute("onclick", "assert_unreached('inline event handler')"); | |
42 | |
43 waitForViolation(a) | |
44 .then(t.step_func_done(e => { | |
45 assert_equals(e.blockedURI, "inline"); | |
46 assert_equals(e.scriptSample, "assert_unreached('inline event handler' )"); | |
47 })); | |
48 | |
49 document.body.append(a); | |
50 a.click(); | |
51 }, "Inline event handlers should have a script-sample."); | |
52 | |
53 async_test(t => { | |
54 var i = document.createElement("iframe"); | |
55 i.src = "javascript:'inline url'"; | |
56 | |
57 waitForViolation(i) | |
58 .then(t.step_func_done(e => { | |
59 assert_equals(e.blockedURI, "inline"); | |
60 assert_equals(e.scriptSample, "javascript:'inline url'"); | |
61 })); | |
62 | |
63 document.body.append(i); | |
64 }, "JavaScript URLs in iframes should have a script-sample."); | |
65 | |
66 async_test(t => { | |
67 document.addEventListener('securitypolicyviolation', t.step_func(e => { | |
68 if (e.blockedURI != "eval") | |
69 return; | |
70 | |
71 assert_equals(e.scriptSample, ""); | |
72 t.done(); | |
73 })); | |
74 try { | |
75 eval("assert_unreached('eval')"); | |
76 assert_ureached('eval'); | |
andypaicu
2017/02/22 12:47:03
Typo here "assert_unreached"
Mike West
2017/02/22 14:54:00
I guess it really was unreached, eh? :)
| |
77 } catch (e) { | |
78 } | |
79 }, "eval() should not have a script-sample."); | |
80 </script> | |
OLD | NEW |