OLD | NEW |
---|---|
(Empty) | |
1 <!DOCTYPE html> | |
2 <script src="/resources/testharness.js"></script> | |
3 <script src="/resources/testharnessreport.js"></script> | |
4 | |
5 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> | |
6 <body> | |
7 <script nonce="abc"> | |
8 function assert_csp_event_for_element(test, element) { | |
9 document.addEventListener("securitypolicyviolation", test.step_func(e => { | |
10 if (e.target != element) | |
11 return; | |
12 assert_equals(e.blockedURI, "inline"); | |
13 assert_equals(e.effectiveDirective, "script-src"); | |
14 assert_equals(element.contentDocument.body.innerText, ""); | |
foolip
2016/11/10 09:25:01
What's this checking? That it's still the about:bl
Mike West
2016/11/10 12:44:52
We navigate the document to `javascript:'Fail.'` (
foolip
2016/11/11 09:39:40
OK, thanks for documenting.
| |
15 element.parentNode.removeChild(element); | |
foolip
2016/11/10 09:25:01
element.remove()
Mike West
2016/11/10 12:44:52
Oh. Huh. :)
| |
16 test.done(); | |
17 })); | |
18 } | |
19 | |
20 async_test(t => { | |
21 var i = document.createElement("iframe"); | |
22 | |
23 assert_csp_event_for_element(t, i); | |
24 | |
25 i.src = "javascript:'Fail.'"; | |
26 document.body.appendChild(i); | |
27 }, "<iframe src='javascript:'> blocked without 'unsafe-inline'."); | |
28 | |
29 async_test(t => { | |
30 var i = document.createElement("iframe"); | |
31 | |
32 assert_csp_event_for_element(t, i); | |
33 | |
34 i.onload = _ => { i.src = "javascript:'Fail.'"; } | |
35 document.body.appendChild(i); | |
36 }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'."); | |
37 | |
38 async_test(t => { | |
39 var i = document.createElement("iframe"); | |
40 | |
41 assert_csp_event_for_element(t, i); | |
42 | |
43 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'unsafe-inline'"); | |
44 i.onload = _ => { i.src = "javascript:'Fail.'"; } | |
45 document.body.appendChild(i); | |
46 }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document"); | |
47 | |
48 async_test(t => { | |
49 var i = document.createElement("iframe"); | |
50 | |
51 assert_csp_event_for_element(t, i); | |
52 | |
53 i.src = "/security/contentSecurityPolicy/resources/csp.php?csp=" + encodeURI Component("script-src 'none'"); | |
54 i.onload = _ => { i.src = "javascript:'Fail.'"; } | |
55 document.body.appendChild(i); | |
56 }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' bloc ked in this document."); | |
57 </script> | |
OLD | NEW |