Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 86 insertions, 0 deletions

diff --git a/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html
new file mode 100644
index 0000000000..fcb7784116
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.html
@@ -0,0 +1,86 @@
+<!DOCTYPE html>
+<head>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/content-security-policy/support/testharness-helper.js"></script>
+</head>
+<body>
+
+  <!-- Some elements for the tests to act on. -->
+  <div id="div"></div>
+  <script id="script-src" src=""></script>
+  <script id="script"></script>
+  <script id="script2"></script>
+
+  <script>
+  // CSP insists the "trusted-types: ..." directives are deliverd as headers
+  // (rather than as "meta http-equiv" tags). This test assumes the following
+  // headers are set in the .headers file:
+  //
+  //   Content-Security-Policy-Report-Only: trusted-types ...; report-uri ...
+
+  // Return function that returns a promise that resolves on the given
+  // violation report.
+  function expect_violation(filter) {
+    return new Promise((resolve, reject) => {
+      function handler(e) {
+        if (e.originalPolicy.includes(filter)) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  // A sample policy we use to test trustedTypes.createPolicy behaviour.
+  const id = x => x;
+  const policy = trustedTypes.createPolicy("two", {
+    createHTML: id,
+    createScriptURL: id,
+    createScript: id,
+  });
+/*
+  promise_test(t => {
+    let p = expect_violation("trusted-types two");
+    document.getElementById("script").src = "#abc";
+    assert_true(document.getElementById("script").src.endsWith("#abc"));
+    return p;
+  }, "Trusted Type violation report-only: assign string to script url");
+*/
+
+  promise_test(t => {
+    let p = expect_violation("trusted-types two");
+    document.getElementById("div").innerHTML = "abc";
+    assert_equals(document.getElementById("div").textContent, "abc");
+    return p;
+  }, "Trusted Type violation report-only: assign string to html");
+
+  promise_test(t => {
+    let p = expect_violation("trusted-types two");
+    document.getElementById("script-src").src = "#";
+    assert_true(document.getElementById("script-src").src.endsWith("#"));
+    return p;
+  }, "Trusted Type violation report-only: assign string to script.src");
+
+  promise_test(t => {
+    let p = expect_violation("trusted-types two");
+    document.getElementById("script").innerHTML = "con" + "sole.log('Hello');";
+    assert_true(document.getElementById("script").textContent.startsWith("consol"));
+    return p;
+  }, "Trusted Type violation report-only: assign string to script content");
+
+  promise_test(t => {
+    let p = expect_violation("trusted-types two");
+    document.getElementById("script").src = "#def";
+    return p.then(report => {
+      assert_equals(report.documentURI, "" + window.location);
+      assert_equals(report.disposition, "report");
+      assert_equals(report.effectiveDirective, "require-trusted-types-for");
+      assert_equals(report.violatedDirective, "require-trusted-types-for");
+      assert_true(report.originalPolicy.startsWith("trusted-types two;"));
+    });
+  }, "Trusted Type violation report: check report contents");
+  </script>
+</body>