trusted-types-eval-reporting-no-unsafe-eval.html

Enable keyboard shortcuts

This WPT test may be referenced by the following Test IDs:
- /trusted-types/trusted-types-eval-reporting-no-unsafe-eval.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<head>

  <script nonce="123" src="/resources/testharness.js"></script>

  <script nonce="123"src="/resources/testharnessreport.js"></script>

  <script src="./support/csp-violations.js"></script>

  <meta http-equiv="Content-Security-Policy" content="script-src http: https: 'nonce-123' 'report-sample'">

  <meta http-equiv="Content-Security-Policy" content="connect-src 'none'">

  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">

</head>

<body>

  <script nonce="123">

  // A sample policy we use to test trustedTypes.createPolicy behaviour.

  const id = x => x;

  const a_policy = {

    createHTML: id,

    createScriptURL: id,

    createScript: id,

};

  const scriptyPolicy = trustedTypes.createPolicy('allowEval', a_policy);

  window.script_run_beacon = 'never_overwritten';

  promise_test(async t => {

    const input = 'script_run_beacon="should not run"';

    let violation = await trusted_type_violation_for(EvalError, _ =>

      eval(input)

);

    assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));

    assert_equals(violation.sample, `eval|${clipSampleIfNeeded(input)}`);

    assert_equals(script_run_beacon, 'never_overwritten');

  }, "Trusted Type violation report: evaluating a string violates both script-src and trusted-types.");

  promise_test(async t => {

    const input = 'script_run_beacon="i ran"';

    let violation = await trusted_type_violation_for(EvalError, _ =>

      eval(scriptyPolicy.createScript(input))

);

    assert_equals(violation.effectiveDirective, "script-src");

    assert_equals(violation.sample, clipSampleIfNeeded(input));

    assert_not_equals(script_run_beacon, 'i ran'); // Code did not run.

    assert_equals(script_run_beacon, 'never_overwritten');

  }, "Trusted Type violation report: evaluating a Trusted Script violates script-src.");

  promise_test(async t => {

    const input = 'script_run_beacon="should not run"';

    trustedTypes.createPolicy('default', {

      createScript: s => s,

});

    let violation = await trusted_type_violation_for(EvalError, _ =>

      eval(input) // script-src will block.

);

    assert_equals(violation.effectiveDirective, "script-src");

    assert_equals(violation.sample, clipSampleIfNeeded(input));

    assert_not_equals(script_run_beacon, 'should not run'); // Code did not run.

    assert_equals(script_run_beacon, 'never_overwritten');

  }, "Trusted Type violation report: script-src restrictions apply after the default policy runs.");

  </script>

</body>