navigate-to-javascript-url-004.html

mozilla-central/testing/web-platform/tests/trusted-types/navigate-to-javascript-url-004.html

Enable keyboard shortcuts

Source code

File a bug in Core :: DOM: Security

Revision control

Copy as Markdown

Other Tools

Test Info:

This WPT test may be referenced by the following Test IDs:
- /trusted-types/navigate-to-javascript-url-004.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<meta http-equiv="Content-Security-Policy"

      content="require-trusted-types-for 'script'; connect-src 'none'">

<script src="/resources/testharness.js"></script>

<script src="/resources/testharnessreport.js"></script>

<script src="/common/rendering-utils.js"></script>

<script src="./support/csp-violations.js"></script>

<script src="./support/navigation-support.js"></script>

<script>

  promise_test(async _ => {

    await new Promise(resolve => window.addEventListener("load", resolve));

    const result = await setLocationToJavaScriptURL("make-invalid" /* defaultpolicy */);

    assert_false(result.javaScriptExecuted, "JavaScript shouldn't have been executed");

    assert_equals(result.violations.length, 1);

    const violation = result.violations[0];

    assert_equals(violation.violatedDirective, "require-trusted-types-for");

    assert_equals(violation.disposition, "enforce");

    assert_equals(violation.sample, `Location href|${clipSampleIfNeeded(kJavaScriptURLCode)}`);

    assert_equals(result.exception, null, "No exception");

  }, "Setting window.location to a javascript: URL with a default policy that returns an invalid URL should report a CSP violation without rethrowing the exception.");

</script>