diff options
Diffstat (limited to 'dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html')
-rw-r--r-- | dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html b/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html new file mode 100644 index 0000000000..ee94f250d7 --- /dev/null +++ b/dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html @@ -0,0 +1,37 @@ +<!DOCTYPE html> +<html> +<head> + <meta charset="utf-8"> + <meta http-equiv="Content-Security-Policy" + content="script-src 'nonce-foobar' 'strict-dynamic'"> + <title>Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled + </title> + <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"> + </script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> +</head> +<body> +<script nonce="foobar"> + +/* Description of the test: + * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and + * check if the eval function is blocked correctly by the CSP. + */ + +SimpleTest.waitForExplicitFinish(); + +// start the test +try { + // eslint-disable-next-line no-eval + eval("1"); + ok(false, "eval should be blocked by CSP"); +} +catch (ex) { + ok(true, "eval blocked by CSP"); +} + +SimpleTest.finish(); + +</script> +</body> +</html> |