diff options
Diffstat (limited to '')
2 files changed, 35 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html new file mode 100644 index 0000000000..757db4f37b --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> +<head> + <script nonce='abc' src="/resources/testharness.js"></script> + <script nonce='abc' src="/resources/testharnessreport.js"></script> + <!-- CSP headers +Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} +--> +</head> +<body> + <script nonce='abc'> + var t = async_test("Eval is allowed because the CSP is report-only"); + + var t_spv = async_test("SPV event is still raised"); + t_spv.step_timeout(t_spv.unreached_func("SPV event has not been received"), 3000); + document.addEventListener('securitypolicyviolation', t_spv.step_func(e => { + assert_equals(e.violatedDirective, "script-src"); + assert_equals(e.blockedURI, "eval"); + t_spv.done(); + })); + + try { + eval("t.done()"); + } catch { + t.step(t.unreached_func("The eval should have executed succesfully")); + t_spv.step(t_spv.unreached_func("The eval execution should have triggered a securitypolicyviolation event")); + } + </script> + <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27'></script> +</body> +</html> diff --git a/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers new file mode 100644 index 0000000000..5ca4a65261 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/reporting/report-only-unsafe-eval.html.sub.headers @@ -0,0 +1,4 @@ +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Set-Cookie: report-only-unsafe-eval={{$id:uuid()}}; Path=/content-security-policy/reporting/ +Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} |