OLD | NEW |
(Empty) | |
| 1 <!doctype html> |
| 2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; styl
e-src 'self'"> |
| 3 <script nonce="abc" src="/resources/testharness.js"></script> |
| 4 <script nonce="abc" src="/resources/testharnessreport.js"></script> |
| 5 <script nonce="abc"> |
| 6 var unexecuted_test = async_test("These tests should not fail."); |
| 7 |
| 8 async_test(t => { |
| 9 var watcher = new EventWatcher(t, document, ['securitypolicyviolation']) |
| 10 watcher.wait_for('securitypolicyviolation') |
| 11 .then(t.step_func(e => { |
| 12 assert_equals(e.blockedURI, "inline"); |
| 13 assert_equals(e.target, document.querySelector('#block1')); |
| 14 return watcher.wait_for('securitypolicyviolation'); |
| 15 })) |
| 16 .then(t.step_func(e => { |
| 17 assert_equals(e.blockedURI, "inline"); |
| 18 assert_equals(e.target, document.querySelector('#block2')); |
| 19 return watcher.wait_for('securitypolicyviolation'); |
| 20 })) |
| 21 .then(t.step_func(e => { |
| 22 assert_equals(e.blockedURI, "inline"); |
| 23 assert_equals(e.target, document.querySelector('#block3')); |
| 24 return watcher.wait_for('securitypolicyviolation'); |
| 25 })) |
| 26 .then(t.step_func(e => { |
| 27 assert_equals(e.blockedURI, "inline"); |
| 28 assert_equals(e.target, document.querySelector('#block4')); |
| 29 return watcher.wait_for('securitypolicyviolation'); |
| 30 })) |
| 31 .then(t.step_func(e => { |
| 32 assert_equals(e.blockedURI, "inline"); |
| 33 assert_equals(e.target, document.querySelector('#block5')); |
| 34 return watcher.wait_for('securitypolicyviolation'); |
| 35 })) |
| 36 .then(t.step_func(e => { |
| 37 assert_equals(e.blockedURI, "inline"); |
| 38 assert_equals(e.lineNumber, 132); |
| 39 assert_equals(e.target, document, "Disconnected elements target
the document"); |
| 40 return watcher.wait_for('securitypolicyviolation'); |
| 41 })) |
| 42 .then(t.step_func(e => { |
| 43 assert_equals(e.blockedURI, "inline"); |
| 44 assert_equals(e.lineNumber, 143); |
| 45 assert_equals(e.target, document, "Elements disconnected after t
riggering target the document."); |
| 46 return watcher.wait_for('securitypolicyviolation'); |
| 47 })) |
| 48 .then(t.step_func(e => { |
| 49 assert_equals(e.blockedURI, "inline"); |
| 50 assert_equals(e.lineNumber, 157); |
| 51 assert_equals(e.target, document, "Elements in DocumentFragments
target the document"); |
| 52 })) |
| 53 .then(t.step_func_done(_ => { |
| 54 unexecuted_test.done(); |
| 55 })); |
| 56 }, "Inline violations target the right element."); |
| 57 </script> |
| 58 <!-- Inline block with no nonce. --> |
| 59 <script id="block1"> |
| 60 unexecuted_test.assert_unreached("This code block should not execute."); |
| 61 </script> |
| 62 |
| 63 <!-- Inline event handler. --> |
| 64 <a id="block2" onclick="void(0)">Click me!</a> |
| 65 <script nonce='abc'>document.querySelector('#block2').click();</script> |
| 66 |
| 67 <!-- Style block. --> |
| 68 <style id="block3"> |
| 69 p { color: red !important; } |
| 70 </style> |
| 71 |
| 72 <!-- Inline event handler inside Shadow DOM --> |
| 73 <div id="block4"></div> |
| 74 <script nonce='abc'> |
| 75 async_test(t => { |
| 76 var shadow = document.querySelector('#block4').attachShadow({"mode":"closed"
}); |
| 77 shadow.innerHTML = "<a id='block4a' onclick='void(0)'>Click!</a>"; |
| 78 var a = shadow.querySelector('#block4a'); |
| 79 a.addEventListener('securitypolicyviolation', t.step_func_done(e => { |
| 80 assert_equals(e.blockedURI, "inline"); |
| 81 assert_equals(e.target, a); |
| 82 })); |
| 83 a.click(); |
| 84 }, "Correct targeting inside shadow tree (inline handler)."); |
| 85 </script> |
| 86 |
| 87 <!-- Inline event handler inside Shadow DOM --> |
| 88 <div id="block5"></div> |
| 89 <script nonce='abc'> |
| 90 async_test(t => { |
| 91 var shadow = document.querySelector('#block5').attachShadow({"mode":"closed"
}); |
| 92 var style = document.createElement('style'); |
| 93 style.innerText = 'p { color: red; }'; |
| 94 style.addEventListener('securitypolicyviolation', t.step_func_done(e => { |
| 95 assert_equals(e.blockedURI, "inline"); |
| 96 assert_equals(e.target, style); |
| 97 })); |
| 98 shadow.appendChild(style); |
| 99 }, "Correct targeting inside shadow tree (style)."); |
| 100 </script> |
| 101 |
| 102 <!-- Pushed into a same-origin Document that isn't this Document --> |
| 103 <iframe id="block6"></iframe> |
| 104 <script nonce="abc"> |
| 105 async_test(t => { |
| 106 var d = document.createElement("div"); |
| 107 d.setAttribute("onclick", "void(0);"); |
| 108 var events = 0; |
| 109 d.addEventListener('securitypolicyviolation', t.step_func(e => { |
| 110 events++; |
| 111 assert_equals(e.blockedURI, "inline"); |
| 112 assert_equals(e.target, d); |
| 113 })); |
| 114 document.querySelector('#block6').contentDocument.addEventListener('security
policyviolation', t.step_func_done(e => { |
| 115 events++; |
| 116 assert_equals(e.blockedURI, "inline"); |
| 117 assert_equals(e.target, d); |
| 118 assert_equals(events, 2); |
| 119 })); |
| 120 document.querySelector('#block6').contentDocument.body.appendChild(d); |
| 121 d.click(); |
| 122 }, "Elements created in this document, but pushed into a same-origin frame tri
gger on that frame's document, not on this frame's document."); |
| 123 </script> |
| 124 |
| 125 <!-- Disconnected inline event handler --> |
| 126 <script nonce="abc"> |
| 127 async_test(t => { |
| 128 var d = document.createElement("div"); |
| 129 d.setAttribute("onclick", "void(0);"); |
| 130 d.addEventListener('securitypolicyviolation', t.unreached_func()); |
| 131 d.click(); |
| 132 t.done(); |
| 133 }, "Inline event handlers for disconnected elements target the document."); |
| 134 </script> |
| 135 |
| 136 <!-- Inline event handler, disconnected after click. --> |
| 137 <a id="block8" onclick="void(0)">Click me also!</a> |
| 138 <script nonce="abc"> |
| 139 async_test(t => { |
| 140 var a = document.querySelector('#block8'); |
| 141 a.addEventListener('securitypolicyviolation', t.unreached_func()); |
| 142 a.click(); |
| 143 a.parentNode.removeChild(a); |
| 144 t.done(); |
| 145 }, "Inline event handlers for elements disconnected after triggering target th
e document."); |
| 146 </script> |
| 147 |
| 148 <!-- Disconnected in a DocumentFragment --> |
| 149 <script nonce="abc"> |
| 150 async_test(t => { |
| 151 var f = new DocumentFragment(); |
| 152 var d = document.createElement('div'); |
| 153 d.setAttribute('onclick', 'void(0)'); |
| 154 d.addEventListener('securitypolicyviolation', t.unreached_func()); |
| 155 f.appendChild(d); |
| 156 d.click(); |
| 157 t.done(); |
| 158 }, "Inline event handlers for elements in a DocumentFragment target the docume
nt."); |
| 159 </script> |
OLD | NEW |