Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/securitypolicyviolation/source-file.html - WPT Dashboard Interop Dashboard
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';" />
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
const policy = trustedTypes.createPolicy("sample", {createScript: x => x});
// Check CSP violated by a script originating from |input| returns a CSP
// violation whose sourceFile is |output|.
const testSourceFile = (description, input, output) => {
promise_test(async test => {
// Listen for TrustedType violation.
const violation = new Promise(resolve => {
document.addEventListener("securitypolicyviolation", e => {
resolve(e);
}, {once: true});
});
// A trusted script using a customized sourceURL. The script's execution
// itself will trigger a TrustedType violation.
const trusted_script = policy.createScript(`
eval('');
//# sourceURL=${input}
`)
try {
eval(trusted_script);
assert_unreached();
} catch (e) {}
assert_equals((await violation).sourceFile, output);
}, description);
};
testSourceFile("Basic HTTPS URL",
testSourceFile("Basic HTTP URL",
testSourceFile("Basic WSS URL",
testSourceFile("Basic WS URL",
testSourceFile("Fragment",
testSourceFile("Query",
testSourceFile("Port",
testSourceFile("User:password",
testSourceFile("User",
testSourceFile("Invalid URL",
"script2.js",
"");
testSourceFile("file:",
"file");
testSourceFile("Custom protocol",
"webpack");
testSourceFile("about:blank",
"about:blank",
"about");
testSourceFile("about:custom",
"about:custom",
"about");
testSourceFile("data:",
"data:text/html;charset=utf8,<html></html>",
"data");
testSourceFile("blob:",
"blob");
testSourceFile("javascript:",
"javascript:void(0)",
"javascript");
</script>