| <!DOCTYPE html> |
| <html> |
| <head> |
| <script nonce="abc" src="/resources/testharness.js"></script> |
| <script nonce="abc" src="/resources/testharnessreport.js"></script> |
| <script nonce="abc" src="support/helper.sub.js"></script> |
| |
| <!-- Note: Trusted Types enforcement, and a CSP that allows all eval. --> |
| <meta http-equiv="Content-Security-Policy" |
| content="script-src 'nonce-abc' 'unsafe-eval'; trusted-types *"> |
| </head> |
| <body> |
| <script nonce="abc"> |
| let p = createScript_policy(window, 1); |
| test(t => { |
| let a = 0; |
| assert_throws(new EvalError(), _ => { |
| eval('a="hello there"'); |
| }); |
| assert_equals(a, 0); |
| }, "eval with plain string with Trusted Types and permissive CSP throws (no type)."); |
| |
| test(t => { |
| let s = eval(p.createScript('"Hello transformed string"')); |
| assert_equals("" + s, "Hello a cat string"); |
| }, "eval with TrustedScript and permissive CSP works."); |
| |
| trustedTypes.createPolicy("default", { createScript: createScriptJS }, true); |
| test(t => { |
| let s = eval('"Hello transformed untrusted string"'); |
| assert_equals(s, "Hello a cat untrusted string"); |
| }, "eval with default policy and permissive CSP still obeys default policy."); |
| </script> |
| |
