trusted-types-svg-script.html

Enable keyboard shortcuts

This WPT test may be referenced by the following Test IDs:
- /trusted-types/trusted-types-svg-script.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<head>

  <script src="/resources/testharness.js"></script>

  <script src="/resources/testharnessreport.js"></script>

  <meta http-equiv="Content-Security-Policy"

        content="require-trusted-types-for 'script'">

</head>

<body>

  <div id="log"></div>

  <svg id="svg"><script id="script">"some script text";</script></svg>

  <script>

    // Returns a promise that resolves with a Security Policy Violation (spv)

    // even when it is received.

    function promise_spv() {

      return new Promise((resolve, reject) => {

        window.addEventListener("securitypolicyviolation", e => {

          resolve(e);

        }, { once: true });

});

    const policy = trustedTypes.createPolicy("policy", {

        createScript: x => x, createHTML: x => x, createScriptURL: x => x });

    promise_test(t => {

      assert_throws_js(TypeError, _ => {

        document.getElementById("script").innerHTML = "'modified via innerHTML';";

});

      return promise_spv();

    }, "Assign String to SVGScriptElement.innerHTML.");

    promise_test(t => {

      document.getElementById("script").innerHTML = policy.createHTML("'modified via innerHTML';");

      return Promise.resolve();

    }, "Assign TrustedHTML to SVGScriptElement.innerHTML.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      elem.innerHTML = policy.createHTML("'modified via innerHTML';");

      document.getElementById("svg").appendChild(elem);

      return promise_spv();

    }, "Assign TrustedHTML to SVGScriptElement.innerHTML and execute it.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      elem.insertBefore(document.createTextNode("modified via DOM"), null);

      document.getElementById("svg").appendChild(elem);

      return promise_spv();

    }, "Modify SVGScriptElement via DOM manipulation.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      assert_throws_js(TypeError, _ => {

        elem.href.baseVal = "about:blank";

});

      document.getElementById("svg").appendChild(elem);

      return promise_spv();

    }, "Assign string to SVGScriptElement.href.baseVal.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      elem.href.baseVal = policy.createScriptURL("about:blank");

      document.getElementById("svg").appendChild(elem);

      return Promise.resolve();

    }, "Assign TrustedScriptURL to SVGScriptElement.href.baseVal.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      assert_throws_js(TypeError, _ => {

        elem.setAttribute("href", "about:blank");

});

      document.getElementById("svg").appendChild(elem);

      return promise_spv();

    }, "Assign string to non-attached SVGScriptElement.href via setAttribute.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      elem.setAttribute("href", policy.createScriptURL("about:blank"));

      document.getElementById("svg").appendChild(elem);

      return Promise.resolve();

    }, "Assign TrustedScriptURL to non-attached SVGScriptElement.href via setAttribute.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      document.getElementById("svg").appendChild(elem);

      assert_throws_js(TypeError, _ => {

        elem.setAttribute("href", "about:blank");

});

      return promise_spv();

    }, "Assign string to attached SVGScriptElement.href via setAttribute.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      document.getElementById("svg").appendChild(elem);

      elem.setAttribute("href", policy.createScriptURL("about:blank"));

      return Promise.resolve();

    }, "Assign TrustedScriptURL to attached SVGScriptElement.href via setAttribute.");

    // Default policy test: We repate the string assignment tests above,

    // but now expect all of them to pass.

    promise_test(t => {

      trustedTypes.createPolicy("default", {

        createScript: x => x, createHTML: x => x, createScriptURL: x => x });

      return Promise.resolve();

    }, "Setup default policy");

    promise_test(t => {

      document.getElementById("script").innerHTML = "'modified via innerHTML';";

      return Promise.resolve();

    }, "Assign String to SVGScriptElement.innerHTML w/ default policy.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      elem.href.baseVal = "about:blank";

      document.getElementById("svg").appendChild(elem);

      return Promise.resolve();

    }, "Assign string to SVGScriptElement.href.baseVal  w/ default policy.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      elem.setAttribute("href", "about:blank");

      document.getElementById("svg").appendChild(elem);

      return Promise.resolve();

    }, "Assign string to non-attached SVGScriptElement.href via setAttribute w/ default policy.");

    promise_test(t => {

      const elem = document.createElementNS(

          "http://www.w3.org/2000/svg", "script");

      document.getElementById("svg").appendChild(elem);

      elem.setAttribute("href", "about:blank");

      return Promise.resolve();

    }, "Assign string to attached SVGScriptElement.href via setAttribute w/ default policy.");

  </script>

</body>