Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /trusted-types/trusted-types-eval-reporting-report-only.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<head>
<script nonce="123" src="/resources/testharness.js"></script>
<script nonce="123" src="/resources/testharnessreport.js"></script>
<script nonce="123" src="./support/csp-violations.js"></script>
<!-- Content-Security-Policy-Report-Only directives are not supported on meta
least one such directive in a .headers file. Please refer to that file
for the complete set of CSP rules that apply to this test. -->
</head>
<body>
<script nonce="123">
// A sample policy we use to test trustedTypes.createPolicy behaviour.
const id = x => x;
const a_policy = {
createHTML: id,
createScriptURL: id,
createScript: id,
};
const scriptyPolicy = trustedTypes.createPolicy('allowEval', a_policy);
window.script_run_beacon = 'vanilla';
promise_test(async t => {
const input = 'script_run_beacon="report-only-does-not-stop"';
let violation = await trusted_type_violation_without_exception_for(_ =>
eval(input)
);
assert_true(violation.originalPolicy.includes("require-trusted-types-for 'script'"));
assert_equals(violation.sample, `eval|${clipSampleIfNeeded(input)}`);
assert_equals(script_run_beacon, 'report-only-does-not-stop');
}, "Trusted Type violation report: evaluating a string.");
promise_test(async t => {
await no_trusted_type_violation_for(_ =>
eval(scriptyPolicy.createScript('script_run_beacon="trusted-script-ok"'))
);
assert_equals(script_run_beacon, 'trusted-script-ok');
}, "Trusted Type violation report: evaluating a Trusted Script.");
promise_test(async t => {
trustedTypes.createPolicy('default', {
createScript: s => s,
});
await no_trusted_type_violation_for(_ =>
eval('script_run_beacon="payload"')
);
assert_equals(script_run_beacon, 'payload');
}, "Trusted Type violation report: default policy runs in report-only mode.");
</script>
</body>