WIP: Give developers an opt-in mechanism to block some parser-inserted scripts.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/document-write-srcdoc.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/document-write-srcdoc.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/document-write-srcdoc.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/document-write-srcdoc.html
new file mode 100644
index 0000000000000000000000000000000000000000..5511de3aa32906da23d34c5035d0341c4eac0397
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/parserInserted/document-write-srcdoc.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<meta http-equiv="Content-Security-Policy" content="script-src 'disallow-all-the-parser-inserted-scripts-ever-except-for-the-ones-we-like' 'self' 'unsafe-inline'">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+
+<script>
+  var payload = `
+    <script>
+      var current = window;
+      while (current.frameElement) {
+        current.frameElement.executedScript = true;
+        current = current.parent;
+      }
+    </scr` + `ipt>
+  `;
+
+  function assert_no_execution(name, html) {
+    async_test(t => {
+      var observer = new MutationObserver(mutations => {
+        for (var mutation of mutations) {
+          for (var node of mutation.addedNodes) {
+            if (node.dataset['test'] == name) {
+              observer.disconnect();
+              node.addEventListener('load', t.step_func(e => {
+                // Give nested scripts a frame or so to execute:
+                requestAnimationFrame(t.step_func_done(_ => {
+                  assert_equals(node.executedScript, undefined, "Script should not execute.");
+                  node.remove();
+                }));
+              }));
+            }
+          }
+        }
+      });
+      observer.observe(document.body, { childList: true });
+      document.write(html.replace(/<iframe/, `<iframe data-test="${name}"`));
+    }, name);
+  }
+</script>
+<script>
+  assert_no_execution("script in srcdoc", `<iframe srcdoc="${payload}"></iframe>`);
+</script>
+<script>
+  assert_no_execution("script in nested srcdoc", `<iframe srcdoc="<iframe srcdoc='${payload}'></iframe>"></iframe>`);
+</script>
+<script>
+  assert_no_execution("script in nested srcdoc in nested srcdoc", `<iframe srcdoc="<iframe srcdoc=&quot;<iframe srcdoc='${payload}'></iframe>&quot;></iframe>"></iframe>`);
+</script>