diff options
Diffstat (limited to 'testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html')
-rw-r--r-- | testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html new file mode 100644 index 0000000000..fcb7784116 --- /dev/null +++ b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html @@ -0,0 +1,86 @@ +<!DOCTYPE html> +<head> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <script src="/content-security-policy/support/testharness-helper.js"></script> +</head> +<body> + + <!-- Some elements for the tests to act on. --> + <div id="div"></div> + <script id="script-src" src=""></script> + <script id="script"></script> + <script id="script2"></script> + + <script> + // CSP insists the "trusted-types: ..." directives are deliverd as headers + // (rather than as "meta http-equiv" tags). This test assumes the following + // headers are set in the .headers file: + // + // Content-Security-Policy-Report-Only: trusted-types ...; report-uri ... + + // Return function that returns a promise that resolves on the given + // violation report. + function expect_violation(filter) { + return new Promise((resolve, reject) => { + function handler(e) { + if (e.originalPolicy.includes(filter)) { + document.removeEventListener("securitypolicyviolation", handler); + e.stopPropagation(); + resolve(e); + } + } + document.addEventListener("securitypolicyviolation", handler); + }); + } + + // A sample policy we use to test trustedTypes.createPolicy behaviour. + const id = x => x; + const policy = trustedTypes.createPolicy("two", { + createHTML: id, + createScriptURL: id, + createScript: id, + }); +/* + promise_test(t => { + let p = expect_violation("trusted-types two"); + document.getElementById("script").src = "#abc"; + assert_true(document.getElementById("script").src.endsWith("#abc")); + return p; + }, "Trusted Type violation report-only: assign string to script url"); +*/ + + promise_test(t => { + let p = expect_violation("trusted-types two"); + document.getElementById("div").innerHTML = "abc"; + assert_equals(document.getElementById("div").textContent, "abc"); + return p; + }, "Trusted Type violation report-only: assign string to html"); + + promise_test(t => { + let p = expect_violation("trusted-types two"); + document.getElementById("script-src").src = "#"; + assert_true(document.getElementById("script-src").src.endsWith("#")); + return p; + }, "Trusted Type violation report-only: assign string to script.src"); + + promise_test(t => { + let p = expect_violation("trusted-types two"); + document.getElementById("script").innerHTML = "con" + "sole.log('Hello');"; + assert_true(document.getElementById("script").textContent.startsWith("consol")); + return p; + }, "Trusted Type violation report-only: assign string to script content"); + + promise_test(t => { + let p = expect_violation("trusted-types two"); + document.getElementById("script").src = "#def"; + return p.then(report => { + assert_equals(report.documentURI, "" + window.location); + assert_equals(report.disposition, "report"); + assert_equals(report.effectiveDirective, "require-trusted-types-for"); + assert_equals(report.violatedDirective, "require-trusted-types-for"); + assert_true(report.originalPolicy.startsWith("trusted-types two;")); + }); + }, "Trusted Type violation report: check report contents"); + </script> +</body> |