1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
</head>
<body>
<script>
// Ensure that only the right events trigger violation reports.
// The Promise will resolve, when an event including the string "done" is
// received. The last line of this test file will cause this trigger.
promise_test(t => {
let count = { "null": 0, "undefined": 0, "nodefault": 0 };
return new Promise((resolve, reject) => {
document.addEventListener("securitypolicyviolation", e => {
e.stopPropagation();
// We count the violation reports. We expect one each for "null" and
// "undefined", one each for the "no default" test case above, and one
// for the "done" line at the end, which signals the end of the test run.
if (e.sample.includes("done")) {
resolve(count);
} else if (e.sample.includes("null")) {
count["null"]++;
} else if (e.sample.includes("undefined")) {
count["undefined"]++;
} else if (e.sample.includes("nodefault")) {
count["nodefault"]++;
} else {
reject();
}
});
}).then(counters => {
for (const counter of ["null", "undefined", "nodefault"]) {
assert_equals(counters[counter], testCases.length,
"event count of " + counter);
}
});
}, "Count SecurityPolicyViolation events.");
const testCases = [
[ "script", "src" ],
[ "div", "innerHTML" ],
[ "script", "text" ],
];
// Try each test case _without_ a default policy.
testCases.forEach(c => {
test(t => {
const element = document.createElement(c[0]);
element[c[1]] = "nodefault";
assert_true(element[c[1]].includes("nodefault"));
}, `${c[0]}.${c[1]} no default policy`);
});
// A trusted type policy that forces a number of edge cases.
function policy(str) {
if (str == "throw")
throw RangeError();
else if (str == "null")
return null;
else if (str == "undefined")
return undefined;
else if (str == "typeerror")
return document.bla();
else if (str == "done")
return null;
else
return "sanitized: " + str;
}
trustedTypes.createPolicy("default", {
createScriptURL: policy,
createHTML: policy,
createScript: policy
});
testCases.forEach(c => {
const name = `${c[0]}.${c[1]} `;
test(t => {
const element = document.createElement(c[0]);
element[c[1]] = "abc";
assert_equals(element[c[1]], "sanitized: abc");
}, name + "default");
test(t => {
const element = document.createElement(c[0]);
element[c[1]] = "null";
assert_true(element[c[1]].includes("null"));
}, name + "null");
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(RangeError, _ => element[c[1]] = "throw");
}, name + "throw");
test(t => {
const element = document.createElement(c[0]);
element[c[1]] = "undefined";
assert_true(element[c[1]].includes("undefined"));
}, name + "undefined");
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(TypeError, _ => element[c[1]] = "typeerror");
}, name + "typeerror");
});
// Trigger the exit condition in the "Count" promise test above.
try { document.createElement("script").text = "done"; } catch (e) {}
</script>
</body>
|
