2 files changed, 116 insertions, 0 deletions

diff --git a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.html b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.html
new file mode 100644
index 0000000000..2b0922d212
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.html
@@ -0,0 +1,113 @@
+<!DOCTYPE html>
+<head>
+  <script nonce="123" src="/resources/testharness.js"></script>
+  <script nonce="123"src="/resources/testharnessreport.js"></script>
+  <script nonce="123"src="/content-security-policy/support/testharness-helper.js"></script>
+</head>
+<body>
+  <script nonce="123">
+  // CSP insists the "trusted-types: ..." directives are deliverd as headers
+  // (rather than as "<meta http-equiv" tags). This test assumes the following
+  // headers are set in the .headers file:
+  //
+  //   Content-Security-Policy: script-src 'unsafe-inline'; report-uri ...
+  //   Content-Security-Policy: object-src 'none'
+  //   Content-Security-Policy: require-trusted-types-for 'script'
+  //
+  // The second rule is there so we can provoke a CSP violation report at will.
+  // The intent is that in order to test that a violation has *not* been thrown
+  // (and without resorting to abominations like timeouts), we force a *another*
+  // CSP violation (by violating the object-src rule) and when that event is
+  // processed we can we sure that an earlier event - if it indeed occurred -
+  // must have already been processed.
+
+  // Return function that returns a promise that resolves on the given
+  // violation report.
+  // how_many - how many violation events are expected.
+  // filter_arg - iff function, call it with the event object.
+  //              Else, string-ify and compare against event.originalPolicy.
+  function promise_violation(filter_arg) {
+    return _ => new Promise((resolve, reject) => {
+      function handler(e) {
+        let matches = (filter_arg instanceof Function)
+            ? filter_arg(e)
+            : (e.originalPolicy.includes(filter_arg));
+        if (matches) {
+          document.removeEventListener("securitypolicyviolation", handler);
+          e.stopPropagation();
+          resolve(e);
+        }
+      }
+      document.addEventListener("securitypolicyviolation", handler);
+    });
+  }
+
+  // Like assert_throws_*, but we don't care about the exact error. We just want
+  // to run the code and continue.
+  function expect_throws(fn) {
+    try { fn(); assert_unreached(); } catch (err) { /* ignore */ }
+  }
+
+  // A sample policy we use to test trustedTypes.createPolicy behaviour.
+  const id = x => x;
+  const a_policy = {
+    createHTML: id,
+    createScriptURL: id,
+    createURL: id,
+    createScript: id,
+  };
+
+  const scriptyPolicy = trustedTypes.createPolicy('allowEval', a_policy);
+
+  // Provoke/wait for a CSP violation, in order to be sure that all previous
+  // CSP violations have been delivered.
+  function promise_flush() {
+    return promise_violation("object-src 'none'");
+  }
+  function flush() {
+   expect_throws(_ => {
+      var o = document.createElement('object');
+      o.type = "application/x-shockwave-flash";
+      document.body.appendChild(o);
+    });
+  }
+
+  window.script_run_beacon = 'never_overwritten';
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("require-trusted-types-for 'script'"))
+        .then(promise_flush());
+    expect_throws(_ => eval('script_run_beacon="should not run"'));
+    assert_equals(script_run_beacon, 'never_overwritten');
+    flush();
+    return p;
+  }, "Trusted Type violation report: evaluating a string violates both script-src and trusted-types.");
+
+  promise_test(t => {
+    let p = Promise.resolve()
+        .then(promise_violation("script-src"))
+        .then(promise_flush());
+    expect_throws(_ => eval(scriptyPolicy.createScript('script_run_beacon="i ran"')));
+    flush();
+    assert_not_equals(script_run_beacon, 'i ran'); // Code did not run.
+    return p;
+  }, "Trusted Type violation report: evaluating a Trusted Script violates script-src.");
+
+  promise_test(t => {
+    trustedTypes.createPolicy('default', {
+      createScript: s => s.replace('payload', 'default policy'),
+    }, true);
+    let p = Promise.resolve()
+        .then(promise_violation((e) =>
+           e.effectiveDirective.includes('script-src') &&
+           e.sample.includes("default policy")))
+        .then(promise_flush());
+    expect_throws(_ => eval('script_run_beacon="payload"')); // script-src will block.
+    assert_not_equals(script_run_beacon, 'default policy'); // Code did not run.
+    flush();
+    return p;
+  }, "Trusted Type violation report: script-src restrictions apply after the default policy runs.");
+
+  </script>
+</body>
diff --git a/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.html.headers b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.html.headers
new file mode 100644
index 0000000000..2bdd8a7d1a
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.html.headers
@@ -0,0 +1,3 @@
+Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
+Content-Security-Policy: object-src 'none'
+Content-Security-Policy: require-trusted-types-for 'script'