Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html |
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..f0bd2cd3b1e2225971774efff5c3f67327cc46e1 |
--- /dev/null |
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html |
@@ -0,0 +1,80 @@ |
+<!doctype html> |
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'"> |
+<script nonce="abc" src="/resources/testharness.js"></script> |
+<script nonce="abc" src="/resources/testharnessreport.js"></script> |
+<body> |
+<script nonce="abc"> |
+ function waitForViolation(el) { |
+ return new Promise(resolve => { |
+ el.addEventListener('securitypolicyviolation', e => resolve(e)); |
+ }); |
+ } |
+ |
+ async_test(t => { |
+ var s = document.createElement('script'); |
+ s.innerText = "assert_unreached('inline script block')"; |
+ |
+ waitForViolation(s) |
+ .then(t.step_func_done(e => { |
+ assert_equals(e.blockedURI, "inline"); |
+ assert_equals(e.scriptSample, "assert_unreached('inline script block')"); |
+ })); |
+ |
+ document.head.append(s); |
+ }, "Inline script should have a script-sample."); |
+ |
+ async_test(t => { |
+ var s = document.createElement('style'); |
+ s.innerText = "p { omg: yay !important; }"; |
+ |
+ waitForViolation(s) |
+ .then(t.step_func_done(e => { |
+ assert_equals(e.blockedURI, "inline"); |
+ assert_equals(e.scriptSample, ""); |
+ })); |
+ |
+ document.head.append(s); |
+ }, "Inline style blocks should not have a script-sample."); |
+ |
+ async_test(t => { |
+ var a = document.createElement("a"); |
+ a.setAttribute("onclick", "assert_unreached('inline event handler')"); |
+ |
+ waitForViolation(a) |
+ .then(t.step_func_done(e => { |
+ assert_equals(e.blockedURI, "inline"); |
+ assert_equals(e.scriptSample, "assert_unreached('inline event handler')"); |
+ })); |
+ |
+ document.body.append(a); |
+ a.click(); |
+ }, "Inline event handlers should have a script-sample."); |
+ |
+ async_test(t => { |
+ var i = document.createElement("iframe"); |
+ i.src = "javascript:'inline url'"; |
+ |
+ waitForViolation(i) |
+ .then(t.step_func_done(e => { |
+ assert_equals(e.blockedURI, "inline"); |
+ assert_equals(e.scriptSample, "javascript:'inline url'"); |
+ })); |
+ |
+ document.body.append(i); |
+ }, "JavaScript URLs in iframes should have a script-sample."); |
+ |
+ async_test(t => { |
+ document.addEventListener('securitypolicyviolation', t.step_func(e => { |
+ if (e.blockedURI != "eval") |
+ return; |
+ |
+ assert_equals(e.scriptSample, ""); |
+ t.done(); |
+ })); |
+ try { |
+ eval("assert_unreached('eval')"); |
+ assert_ureached('eval'); |
andypaicu
2017/02/22 12:47:03
Typo here "assert_unreached"
Mike West
2017/02/22 14:54:00
I guess it really was unreached, eh? :)
|
+ } catch (e) { |
+ } |
+ }, "eval() should not have a script-sample."); |
+</script> |