testing/web-platform/tests/content-security-policy/securitypolicyviolation/script-sample.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

<!doctype html>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' 'report-sample'; style-src 'self'; img-src 'none'">
<script nonce="abc" src="/resources/testharness.js"></script>
<script nonce="abc" src="/resources/testharnessreport.js"></script>
<body>
<script nonce="abc">
    function waitForViolation(el) {
      return new Promise(resolve => {
        el.addEventListener('securitypolicyviolation', e => resolve(e));
      });
    }

    async_test(t => {
      var s = document.createElement('script');
      s.innerText = "assert_unreached('inline script block')";

      waitForViolation(s)
        .then(t.step_func_done(e => {
          assert_equals(e.blockedURI, "inline");
          assert_equals(e.sample, "assert_unreached('inline script block')");
        }));

      document.head.append(s);
    }, "Inline script should have a sample.");

    async_test(t => {
      var a = document.createElement("a");
      a.setAttribute("onclick", "assert_unreached('inline event handler')");

      waitForViolation(a)
        .then(t.step_func_done(e => {
          assert_equals(e.blockedURI, "inline");
          assert_equals(e.sample, "assert_unreached('inline event handler')");
        }));

      document.body.append(a);
      a.click();
    }, "Inline event handlers should have a sample.");

    async_test(t => {
      var i = document.createElement("iframe");
      i.src = "javascript:'inline url'";

      waitForViolation(i)
        .then(t.step_func_done(e => {
          assert_equals(e.blockedURI, "inline");
          assert_equals(e.sample, "javascript:'inline url'");
        }));

      document.body.append(i);
    }, "JavaScript URLs in iframes should have a sample.");

    async_test(t => {
      document.addEventListener('securitypolicyviolation', t.step_func(e => {
        if (e.blockedURI == "eval" &&
            e.sample == "assert_unreached('eval')") {
          t.done();
        }
      }));
      try {
        eval("assert_unreached('eval')");
        assert_unreached('eval');
      } catch (e) {
      }
    }, "eval() should have a sample.");

    async_test(t => {
      document.addEventListener('securitypolicyviolation', t.step_func(e => {
        if (e.blockedURI == "eval" &&
            e.sample == "assert_unreached('interval')") {
          t.done();
        }
      }));
      try {
        setInterval("assert_unreached('interval')", 1000);
        assert_unreached('interval');
      } catch (e) {
      }
    }, "setInterval() should have a sample.");

    async_test(t => {
      document.addEventListener('securitypolicyviolation', t.step_func(e => {
        if (e.blockedURI == "eval" &&
            e.sample == "assert_unreached('timeout')") {
          t.done();
        }
      }));
      try {
        setTimeout("assert_unreached('timeout')", 1000);
        assert_unreached('timeout');
      } catch (e) {
      }
    }, "setTimeout() should have a sample.");
</script>