| <!DOCTYPE html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| </head> |
| <body> |
| <script> |
| |
| function promise_violation(filter_arg) { |
| return _ => new Promise((resolve, reject) => { |
| function handler(e) { |
| let matches = (filter_arg instanceof Function) |
| ? filter_arg(e) |
| : (e.originalPolicy.includes(filter_arg)); |
| if (matches) { |
| document.removeEventListener("securitypolicyviolation", handler); |
| e.stopPropagation(); |
| resolve(e); |
| } |
| } |
| |
| document.addEventListener("securitypolicyviolation", handler); |
| }); |
| } |
| |
| promise_test(t => { |
| let p = Promise.resolve() |
| .then(promise_violation("require-trusted-types-for 'script'")); |
| |
| d = document.createElement("div"); |
| d.innerHTML = "a"; |
| assert_equals("a", d.innerHTML); |
| return p; |
| }, "Require trusted types for 'script' block create HTML."); |
| |
| promise_test(t => { |
| let p = Promise.resolve() |
| .then(promise_violation("require-trusted-types-for 'script'")); |
| |
| d = document.createElement("script"); |
| d.innerText = "a"; |
| assert_equals("a", d.innerText); |
| return p; |
| }, "Require trusted types for 'script' block create script."); |
| |
| promise_test(t => { |
| let p = Promise.resolve() |
| .then(promise_violation("require-trusted-types-for 'script'")); |
| |
| s = document.createElement("script"); |
| s.src = "a"; |
| assert_true(s.src.includes("/trusted-types/a")); |
| return p; |
| }, "Require trusted types for 'script' block create script URL."); |
| |
| promise_test(t => { |
| return new Promise(resolve => { |
| p = trustedTypes.createPolicy("policyA", {createScript: s => s+1}); |
| p1 = trustedTypes.createPolicy("policyA", {createHTML: _ => ""}); |
| p2 = trustedTypes.createPolicy("default", {}); |
| script = p.createScript("1"); |
| assert_equals(script.toString(), "11"); |
| s = document.createElement("script"); |
| s.innerText = script; |
| assert_equals(script.toString(), s.innerText.toString()); |
| s.innerText = "1"; |
| assert_equals("1", s.innerText); |
| resolve(); |
| }); |
| }, "Set require trusted types for 'script' without CSP for trusted types don't block policy creation and using."); |
| </script> |