CSP: Add 'script-sample' to violation reports.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html
new file mode 100644
index 0000000000000000000000000000000000000000..f0bd2cd3b1e2225971774efff5c3f67327cc46e1
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/securitypolicyviolation/script-sample.html
@@ -0,0 +1,80 @@
+<!doctype html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'">
+<script nonce="abc" src="/resources/testharness.js"></script>
+<script nonce="abc" src="/resources/testharnessreport.js"></script>
+<body>
+<script nonce="abc">
+    function waitForViolation(el) {
+      return new Promise(resolve => {
+        el.addEventListener('securitypolicyviolation', e => resolve(e));
+      });
+    }
+
+    async_test(t => {
+      var s = document.createElement('script');
+      s.innerText = "assert_unreached('inline script block')";
+
+      waitForViolation(s)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.scriptSample, "assert_unreached('inline script block')");
+        }));
+
+      document.head.append(s);
+    }, "Inline script should have a script-sample.");
+
+    async_test(t => {
+      var s = document.createElement('style');
+      s.innerText = "p { omg: yay !important; }";
+      
+      waitForViolation(s)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.scriptSample, "");
+        }));     
+
+      document.head.append(s);
+    }, "Inline style blocks should not have a script-sample.");
+
+    async_test(t => {
+      var a = document.createElement("a");
+      a.setAttribute("onclick", "assert_unreached('inline event handler')");
+
+      waitForViolation(a)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.scriptSample, "assert_unreached('inline event handler')");
+        }));     
+      
+      document.body.append(a);
+      a.click();
+    }, "Inline event handlers should have a script-sample.");
+
+    async_test(t => {
+      var i = document.createElement("iframe");
+      i.src = "javascript:'inline url'";
+
+      waitForViolation(i)
+        .then(t.step_func_done(e => {
+          assert_equals(e.blockedURI, "inline");
+          assert_equals(e.scriptSample, "javascript:'inline url'");
+        }));     
+      
+      document.body.append(i);
+    }, "JavaScript URLs in iframes should have a script-sample.");
+
+    async_test(t => {
+      document.addEventListener('securitypolicyviolation', t.step_func(e => {
+        if (e.blockedURI != "eval")
+          return;
+
+        assert_equals(e.scriptSample, "");
+        t.done();
+      }));
+      try {
+        eval("assert_unreached('eval')");
+        assert_ureached('eval');

[andypaicu, 2017/02/22 12:47:03]

Typo here "assert_unreached"

[Mike West, 2017/02/22 14:54:00]

I guess it really was unreached, eh? :)

+      } catch (e) {
+      }
+    }, "eval() should not have a script-sample.");
+</script>