summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html')
-rw-r--r--dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html37
1 files changed, 37 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html b/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
new file mode 100644
index 0000000000..ee94f250d7
--- /dev/null
+++ b/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta charset="utf-8">
+ <meta http-equiv="Content-Security-Policy"
+ content="script-src 'nonce-foobar' 'strict-dynamic'">
+ <title>Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled
+ </title>
+ <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+ </script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
+ * check if the eval function is blocked correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+ // eslint-disable-next-line no-eval
+ eval("1");
+ ok(false, "eval should be blocked by CSP");
+}
+catch (ex) {
+ ok(true, "eval blocked by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-16 23:34:03 +0000