testing/web-platform/tests/trusted-types/csp-block-eval.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

<!DOCTYPE html>
<html>
<head>
  <script nonce="abc" src="/resources/testharness.js"></script>
  <script nonce="abc" src="/resources/testharnessreport.js"></script>
  <script nonce="abc" src="support/helper.sub.js"></script>

  <!-- Note: Trusted Types enforcement, and a CSP that does not blanket-allow eval. -->
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; require-trusted-types-for 'script'">
</head>
<body>
<script nonce="abc">
  const p = createScript_policy(window, 1);

  test(t => {
    let a = 0;
    assert_throws_js(EvalError, _ => {
      eval('a="hello there"');
    });
    assert_equals(a, 0);
  }, "eval with plain string throws (both block).");

  test(t => {
    let a = 0;
    assert_throws_js(EvalError, _ => {
      eval(p.createScript('a="Hello transformed string"'));
    });
    assert_equals(a, 0);
  }, "eval with TrustedScript throws (script-src blocks).");
</script>