testing/web-platform/tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc' blob:">
<script nonce="abc" src="/resources/testharness.js"></script>
<script nonce="abc" src="/resources/testharnessreport.js"></script>
<script nonce="abc">
    async_test(t => {
        var watcher = new EventWatcher(t, document, 'securitypolicyviolation');
        watcher.wait_for('securitypolicyviolation').then(t.step_func_done(e => {
            assert_equals(e.blockedURI, "eval");
            assert_equals(e.sourceFile, "blob");
            assert_equals(e.lineNumber, 3);
            assert_equals(e.columnNumber, 16);
        }));

        var scriptText = `
            try {
                eval("assert_unreached('no eval')");
            } catch (e) {
                assert_equals(e.name, 'EvalError');
            }
        `;
        var s = document.createElement("script");
        s.src = URL.createObjectURL(new Blob([scriptText], {type: "text/javascript"}));
        document.head.append(s);
    }, "Violations from data:-URL scripts have a sourceFile of 'blob'");
</script>