Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html

Issue 2436003002: CSP: Add 'script-sample' to violation reports. (Closed)
Patch Set: Rebase. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt ('k') | third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!doctype html>
2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'repo rt-sample'; style-src 'self'; img-src 'none'">
3 <script nonce="abc" src="/resources/testharness.js"></script>
4 <script nonce="abc" src="/resources/testharnessreport.js"></script>
5 <body>
6 <script nonce="abc">
7 function waitForViolation(el) {
8 return new Promise(resolve => {
9 el.addEventListener('securitypolicyviolation', e => resolve(e));
10 });
11 }
12
13 async_test(t => {
14 var s = document.createElement('script');
15 s.innerText = "assert_unreached('inline script block')";
16
17 waitForViolation(s)
18 .then(t.step_func_done(e => {
19 assert_equals(e.blockedURI, "inline");
20 assert_equals(e.scriptSample, "assert_unreached('inline script block') ");
21 }));
22
23 document.head.append(s);
24 }, "Inline script should have a script-sample.");
25
26 async_test(t => {
27 var s = document.createElement('style');
28 s.innerText = "p { omg: yay !important; }";
29
30 waitForViolation(s)
31 .then(t.step_func_done(e => {
32 assert_equals(e.blockedURI, "inline");
33 assert_equals(e.scriptSample, "");
34 }));
35
36 document.head.append(s);
37 }, "Inline style blocks should not have a script-sample.");
38
39 async_test(t => {
40 var a = document.createElement("a");
41 a.setAttribute("onclick", "assert_unreached('inline event handler')");
42
43 waitForViolation(a)
44 .then(t.step_func_done(e => {
45 assert_equals(e.blockedURI, "inline");
46 assert_equals(e.scriptSample, "assert_unreached('inline event handler' )");
47 }));
48
49 document.body.append(a);
50 a.click();
51 }, "Inline event handlers should have a script-sample.");
52
53 async_test(t => {
54 var i = document.createElement("iframe");
55 i.src = "javascript:'inline url'";
56
57 waitForViolation(i)
58 .then(t.step_func_done(e => {
59 assert_equals(e.blockedURI, "inline");
60 assert_equals(e.scriptSample, "javascript:'inline url'");
61 }));
62
63 document.body.append(i);
64 }, "JavaScript URLs in iframes should have a script-sample.");
65
66 async_test(t => {
67 document.addEventListener('securitypolicyviolation', t.step_func(e => {
68 if (e.blockedURI != "eval")
69 return;
70
71 assert_equals(e.scriptSample, "");
72 t.done();
73 }));
74 try {
75 eval("assert_unreached('eval')");
76 assert_ureached('eval');
andypaicu 2017/02/22 12:47:03 Typo here "assert_unreached"
Mike West 2017/02/22 14:54:00 I guess it really was unreached, eh? :)
77 } catch (e) {
78 }
79 }, "eval() should not have a script-sample.");
80 </script>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt ('k') | third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698