<!DOCTYPE HTML> <html> <head> <title>eval() should not run without 'unsafe-eval' script-src directive.</title> <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> <script src='/resources/testharness.js'></script> <script src='/resources/testharnessreport.js'></script> </head> <body> <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1> <div id='log'></div> <script> var t_spv = async_test("Test that securitypolicyviolation event is fired"); window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { assert_equals(e.violatedDirective, "script-src"); })); var evalRan = false; test(function() {assert_throws_js(EvalError, function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive."); test(function() {assert_false(evalRan);}) </script> </body> </html>