Source code

Revision control

Copy as Markdown

Other Tools

Test Info:

<!DOCTYPE html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/content-security-policy/support/testharness-helper.js"></script>
<script src="./support/csp-violations.js"></script>
</head>
<body>
<!-- Some elements for the tests to act on. -->
<div id="div"></div>
<script id="script-src" src=""></script>
<script id="script"></script>
<script id="script2"></script>
<script>
// CSP insists the "trusted-types: ..." directives are delivered as headers
// (rather than as "meta http-equiv" tags). This test assumes the following
// headers are set in the .headers file:
//
// Content-Security-Policy-Report-Only: trusted-types ...; report-uri ...
// A sample policy we use to test trustedTypes.createPolicy behaviour.
const id = x => x;
const policy = trustedTypes.createPolicy("two", {
createHTML: id,
createScriptURL: id,
createScript: id,
});
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script").src = "// #abc"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_true(document.getElementById("script").src.endsWith("// #abc"));
}, "Trusted Type violation report-only: assign string to script url");
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("div").innerHTML = "abc"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_equals(document.getElementById("div").textContent, "abc");
}, "Trusted Type violation report-only: assign string to html");
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script-src").src = "#"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_true(document.getElementById("script-src").src.endsWith("#"));
}, "Trusted Type violation report-only: assign string to script.src");
promise_test(async t => {
let violation = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script").innerHTML = "con" + "sole.log('Hello');"
);
assert_true(violation.originalPolicy.includes("trusted-types two"));
assert_true(document.getElementById("script").textContent.startsWith("consol"));
}, "Trusted Type violation report-only: assign string to script content");
promise_test(async t => {
let report = await trusted_type_violation_without_exception_for(_ =>
document.getElementById("script").src = "#def"
);
assert_equals(report.documentURI, "" + window.location);
assert_equals(report.disposition, "report");
assert_equals(report.effectiveDirective, "require-trusted-types-for");
assert_equals(report.violatedDirective, "require-trusted-types-for");
assert_true(report.originalPolicy.startsWith("trusted-types two;"));
}, "Trusted Type violation report: check report contents");
</script>
</body>