1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';" />
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
const policy = trustedTypes.createPolicy("sample", {createScript: x => x});
// Check CSP violated by a script originating from |input| returns a CSP
// violation whose sourceFile is |output|.
const testSourceFile = (description, input, output) => {
promise_test(async test => {
// Listen for TrustedType violation.
const violation = new Promise(resolve => {
document.addEventListener("securitypolicyviolation", e => {
resolve(e);
}, {once: true});
});
// A trusted script using a customized sourceURL. The script's execution
// itself will trigger a TrustedType violation.
const trusted_script = policy.createScript(`
eval('');
//# sourceURL=${input}
`)
try {
eval(trusted_script);
assert_unreached();
} catch (e) {}
assert_equals((await violation).sourceFile, output);
}, description);
};
testSourceFile("Basic HTTPS URL",
"http://dummy.test/script1.js",
"http://dummy.test/script1.js");
testSourceFile("Basic HTTP URL",
"https://dummy.test/script1.js",
"https://dummy.test/script1.js");
testSourceFile("Basic WSS URL",
"wss://dummy.test/script1.js",
"wss://dummy.test/script1.js");
testSourceFile("Basic WS URL",
"ws://dummy.test/script1.js",
"ws://dummy.test/script1.js");
testSourceFile("Fragment",
"https://dummy.test/script1.js#frag",
"https://dummy.test/script1.js");
testSourceFile("Query",
"https://dummy.test/script1.js?query",
"https://dummy.test/script1.js");
testSourceFile("Port",
"https://dummy.test:8080/script1.js",
"https://dummy.test:8080/script1.js");
testSourceFile("User:password",
"https://user:password@dummy.test/script1.js",
"https://dummy.test/script1.js");
testSourceFile("User",
"https://user@dummy.test/script1.js",
"https://dummy.test/script1.js");
testSourceFile("Invalid URL",
"script2.js",
"");
testSourceFile("file:",
"file:///temp/script3.js",
"file");
testSourceFile("Custom protocol",
"webpack://node_modules/sample/script4.js",
"webpack");
testSourceFile("about:blank",
"about:blank",
"about");
testSourceFile("about:custom",
"about:custom",
"about");
testSourceFile("data:",
"data:text/html;charset=utf8,<html></html>",
"data");
testSourceFile("blob:",
"blob:http://test.test/012345-6789-abcd-efab-0123456789",
"blob");
testSourceFile("javascript:",
"javascript:void(0)",
"javascript");
</script>
|
