third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html - Issue 2436003002: CSP: Add 'script-sample' to violation reports.

Unified Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html

Issue 2436003002: CSP: Add 'script-sample' to violation reports. (Closed)

Patch Set: Tests. Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/idl-expected.txt ('K') | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/idl-expected.txt ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html » ('j') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html

diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html

new file mode 100644

index 0000000000000000000000000000000000000000..2087f46be2be6dc6046dd6b58c6c40fccd92a4b4

--- /dev/null

+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html

@@ -0,0 +1,67 @@

+<!doctype html>

+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'">

+<script nonce="abc" src="/resources/testharness.js"></script>

+<script nonce="abc" src="/resources/testharnessreport.js"></script>

+<body>

+<script nonce="abc">

+ function waitForViolation(el) {

+ return new Promise(resolve => {

+ el.addEventListener('securitypolicyviolation', e => resolve(e));

+ });

+ }

+ async_test(t => {

+ var s = document.createElement('script');

+ s.innerText = "assert_unreached('inline script block')";

+ waitForViolation(s)

+ .then(t.step_func_done(e => {

+ assert_equals(e.blockedURI, "inline");

+ assert_equals(e.sample, "assert_unreached('inline script block')");

+ }));

+ document.head.append(s);

+ }, "Inline script should have a sample.");

+ async_test(t => {

+ var a = document.createElement("a");

+ a.setAttribute("onclick", "assert_unreached('inline event handler')");

+ waitForViolation(a)

+ .then(t.step_func_done(e => {

+ assert_equals(e.blockedURI, "inline");

+ assert_equals(e.sample, "assert_unreached('inline event handler')");

Mike West 2017/02/22 14:54:00 lwe@: Hey, look, the thing you asked for is alread

+ }));

+ document.body.append(a);

+ a.click();

+ }, "Inline event handlers should have a sample.");

+ async_test(t => {

+ var i = document.createElement("iframe");

+ i.src = "javascript:'inline url'";

+ waitForViolation(i)

+ .then(t.step_func_done(e => {

+ assert_equals(e.blockedURI, "inline");

+ assert_equals(e.sample, "javascript:'inline url'");

+ }));

+ document.body.append(i);

+ }, "JavaScript URLs in iframes should have a sample.");

+ async_test(t => {

+ document.addEventListener('securitypolicyviolation', t.step_func(e => {

+ if (e.blockedURI != "eval")

+ return;

+ assert_equals(e.sample, "");

+ t.done();

+ }));

+ try {

+ eval("assert_unreached('eval')");

+ assert_unreached('eval');

+ } catch (e) {

+ }

+ }, "eval() should not have a sample.");

+</script>