1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
<!DOCTYPE html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/content-security-policy/support/testharness-helper.js"></script>
</head>
<body>
<!-- Some elements for the tests to act on. -->
<div id="div"></div>
<script id="script-src" src=""></script>
<script id="script"></script>
<script id="script2"></script>
<script>
// CSP insists the "trusted-types: ..." directives are deliverd as headers
// (rather than as "meta http-equiv" tags). This test assumes the following
// headers are set in the .headers file:
//
// Content-Security-Policy-Report-Only: trusted-types ...; report-uri ...
// Return function that returns a promise that resolves on the given
// violation report.
function expect_violation(filter) {
return new Promise((resolve, reject) => {
function handler(e) {
if (e.originalPolicy.includes(filter)) {
document.removeEventListener("securitypolicyviolation", handler);
e.stopPropagation();
resolve(e);
}
}
document.addEventListener("securitypolicyviolation", handler);
});
}
// A sample policy we use to test trustedTypes.createPolicy behaviour.
const id = x => x;
const policy = trustedTypes.createPolicy("two", {
createHTML: id,
createScriptURL: id,
createScript: id,
});
/*
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("script").src = "#abc";
assert_true(document.getElementById("script").src.endsWith("#abc"));
return p;
}, "Trusted Type violation report-only: assign string to script url");
*/
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("div").innerHTML = "abc";
assert_equals(document.getElementById("div").textContent, "abc");
return p;
}, "Trusted Type violation report-only: assign string to html");
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("script-src").src = "#";
assert_true(document.getElementById("script-src").src.endsWith("#"));
return p;
}, "Trusted Type violation report-only: assign string to script.src");
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("script").innerHTML = "con" + "sole.log('Hello');";
assert_true(document.getElementById("script").textContent.startsWith("consol"));
return p;
}, "Trusted Type violation report-only: assign string to script content");
promise_test(t => {
let p = expect_violation("trusted-types two");
document.getElementById("script").src = "#def";
return p.then(report => {
assert_equals(report.documentURI, "" + window.location);
assert_equals(report.disposition, "report");
assert_equals(report.effectiveDirective, "require-trusted-types-for");
assert_equals(report.violatedDirective, "require-trusted-types-for");
assert_true(report.originalPolicy.startsWith("trusted-types two;"));
});
}, "Trusted Type violation report: check report contents");
</script>
</body>
|
