Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /trusted-types/trusted-types-report-only.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/content-security-policy/support/testharness-helper.js"></script>
<script src="./support/csp-violations.js"></script>
<!-- Content-Security-Policy-Report-Only directives are not supported on meta
least one such directive in a .headers file. Please refer to that file
for the complete set of CSP rules that apply to this test. -->
</head>
<body>
<!-- Some elements for the tests to act on. -->
<div id="div"></div>
<script id="script-src" src=""></script>
<script id="script"></script>
<script id="script2"></script>
<script>
// A sample policy we use to test trustedTypes.createPolicy behaviour.
const id = x => x;
const policy = trustedTypes.createPolicy("two", {
createHTML: id,
createScriptURL: id,
createScript: id,
});
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script").src = "support/namespaces.js#abc"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_true(document.getElementById("script").src.endsWith("#abc"));
}, "Trusted Type violation report-only: assign string to script url");
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("div").innerHTML = "abc"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_equals(document.getElementById("div").textContent, "abc");
}, "Trusted Type violation report-only: assign string to html");
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script-src").src = "#"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_true(document.getElementById("script-src").src.endsWith("#"));
}, "Trusted Type violation report-only: assign string to script.src");
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script").innerHTML = "con" + "sole.log('Hello');"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_true(document.getElementById("script").textContent.startsWith("consol"));
}, "Trusted Type violation report-only: assign string to script content");
promise_test(async t => {
let report = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script").src = "#def"
);
assert_equals(report.documentURI, "" + window.location);
assert_equals(report.disposition, "report");
assert_equals(report.effectiveDirective, "require-trusted-types-for");
assert_equals(report.violatedDirective, "require-trusted-types-for");
assert_true(report.originalPolicy.startsWith("trusted-types two;"));
}, "Trusted Type violation report: check report contents");
</script>
</body>