Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<meta charset="UTF-8">
<meta name="timeout" content="long">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="./support/csp-violations.js"></script>
<script>
// These are valid values for tt-policy-name per the spec's ABNF.
const validTrustedTypePolicyNames = [
"1",
"abcdefghijklmnopqrstuvwxyz",
"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
"0123456789",
"policy-name",
"policy=name",
"policy_name",
"policy/name",
"policy@name",
"policy.name",
"policy%name",
"policy#name",
"6xY/2x=3Y..."
];
validTrustedTypePolicyNames.forEach(trustedTypePolicyName => {
promise_test(async t => {
let results = await tryCreatingTrustedTypePoliciesWithCSP(
[trustedTypePolicyName],
`header(Content-Security-Policy,trusted-types ${encodeURIComponent(trustedTypePolicyName)},True)`
);
assert_equals(results.length, 1);
assert_equals(results[0].name, trustedTypePolicyName);
assert_equals(results[0].exception, null);
assert_equals(results[0].violatedPolicies.length, 0);
}, `valid tt-policy-name name "${trustedTypePolicyName}"`);
});
// These are invalid values for tt-policy-name per the spec's ABNF.
const invalidTrustedTypePolicyNames = [
// Space not accepted in tt-policy-name. This is treated as allowing names
// "policy" and "name" and so forbids creation of "policy name".
"policy name",
// '*' is not accepted in tt-policy-name. This could be treated as
// tt-wildcard, but tt-expressions must be separated by a
// required-ascii-whitespace.
"policy*name",
// '$', '?' '!' and non-ASCII letters are not accepted in tt-policy-name.
"policy$name",
"policy?name",
"policy!name",
];
invalidTrustedTypePolicyNames.forEach(trustedTypePolicyName => {
promise_test(async t => {
let results = await tryCreatingTrustedTypePoliciesWithCSP(
[trustedTypePolicyName],
`header(Content-Security-Policy,trusted-types ${encodeURIComponent(trustedTypePolicyName)},True)`
);
assert_equals(results.length, 1);
assert_equals(results[0].name, trustedTypePolicyName);
assert_true(results[0].exception instanceof TypeError, "createPolicy() should throw a TypeError.");
assert_equals(results[0].violatedPolicies.length, 1, "createPolicy() should trigger a violation report.");
assert_equals(results[0].violatedPolicies[0].disposition, "enforce");
assert_equals(results[0].violatedPolicies[0].policy, `trusted-types ${trustedTypePolicyName}`);
}, `invalid tt-policy-name name "${trustedTypePolicyName}"`);
});
// tt-expressions can separated by any ASCII whitespace per the spec's ABNF:
promise_test(async t => {
let results = await tryCreatingTrustedTypePoliciesWithCSP(
["_TTP1_", "_TTP2_", "_TTP3_", "_TTP4_", "_TTP5_"],
"header(Content-Security-Policy,trusted-types _TTP1_%09_TTP2_%0C_TTP3_%0D_TTP4_%20_TTP5_,True)"
);
assert_equals(results.length, 5);
results.forEach((result, index) => {
assert_equals(result.exception, null);
assert_equals(result.violatedPolicies.length, 0);
});
}, `directive "trusted-type _TTP1_%09_TTP2_%0C_TTP3_%0D_TTP4_%20_TTP5_" (required-ascii-whitespace)`);
// tt-expressions must be separated by a required-ascii-whitespace:
promise_test(async t => {
let results = await tryCreatingTrustedTypePoliciesWithCSP(
["_TTP_"],
"header(Content-Security-Policy,trusted-types _TTP_*,True)"
);
assert_equals(results.length, 1);
assert_true(results[0].exception instanceof TypeError);
assert_equals(results[0].violatedPolicies.length, 1);
assert_equals(results[0].violatedPolicies[0].disposition, "enforce");
assert_equals(results[0].violatedPolicies[0].policy, `trusted-types _TTP_*`);
}, `invalid directive "trusted-type _TTP" (no ascii whitespace)`);
</script>