reporting-api-sends-reports-on-violation-2.https.sub.html

firefox-main/testing/web-platform/tests/content-security-policy/reporting-api/reporting-api-sends-reports-on-violation-2.https.sub.html

Enable keyboard shortcuts

Source code

File a bug in Core :: DOM: Security

Revision control

Copy as Markdown

Other Tools

Test Info:

This WPT test may be referenced by the following Test IDs:
- /content-security-policy/reporting-api/reporting-api-sends-reports-on-violation-2.https.sub.html - WPT Dashboard Interop Dashboard

<!DOCTYPE HTML>

<html>

<head>

  <title>Test that reports using the report-api service are sent when there's a violation and that they contain source information if JS is running</title>

  <script src='/resources/testharness.js'></script>

  <script src='/resources/testharnessreport.js'></script>

</head>

<body>

  <script>

    const t1 = async_test("Test that image does not load");

    async_test(function(t2) {

    window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {

        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");

        assert_equals(e.violatedDirective, "img-src");

        t2.done();

      }));

    }, "Event is fired");

    async_test(function(t3) {

      var observer = new ReportingObserver(function(reports, observer) {

        t3.step(function() {

          assert_equals(reports.length, 1);

          // Ensure that the contents of the report are valid.

          const base_url = "{{location[scheme]}}://{{location[host]}}/content-security-policy/"

          const document_url = base_url + "reporting-api/reporting-api-sends-reports-on-violation-2.https.sub.html";

          assert_equals(reports[0].type, "csp-violation");

          assert_equals(reports[0].url, document_url);

          assert_equals(reports[0].body.documentURL, document_url);

          assert_equals(reports[0].body.referrer, "");

          assert_equals(reports[0].body.blockedURL,

                        base_url + "support/fail.png");

          assert_equals(reports[0].body.effectiveDirective, "img-src");

          assert_equals(reports[0].body.originalPolicy,

                        "script-src 'self' 'unsafe-inline'; img-src 'none'; report-to csp-group");

          assert_equals(reports[0].body.sourceFile, document_url);

          assert_equals(reports[0].body.sample, "");

          assert_equals(reports[0].body.disposition, "enforce");

          assert_equals(reports[0].body.statusCode, 200);

          assert_in_array(reports[0].body.lineNumber, [53, 54]); // 0-or-1 based numbering

          assert_in_array(reports[0].body.columnNumber, [4, 5]); // 0-or-1 based numbering

});

        t3.done();

});

      observer.observe();

    }, "Report is observable to ReportingObserver");

  </script>

  <img id="theImage"

       onload='t1.unreached_func("The image should not have loaded");'

       onerror='t1.done();'>

  <script>

    theImage.src = '/content-security-policy/support/fail.png';

  </script>

  <script async defer src='../support/checkReport.sub.js?reportField=effectiveDirective&reportValue=img-src%20%27none%27'></script>

</body>

</html>