| <!DOCTYPE html> |
| <html> |
| <head> |
| <script nonce="abc" src="/resources/testharness.js"></script> |
| <script nonce="abc" src="/resources/testharnessreport.js"></script> |
| <script nonce="abc" src="support/helper.sub.js"></script> |
| |
| <!-- Note: Trusted Types enforcement, and a CSP that does not blanket-allow eval. --> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; trusted-types *"> |
| </head> |
| <body> |
| <script nonce="abc"> |
| let p = createScript_policy(window, 1); |
| test(t => { |
| assert_throws(new EvalError(), _ => { |
| eval('"hello there"') }); |
| }, "eval with plain string throws."); |
| |
| test(t => { |
| let s = eval(p.createScript('"Hello transformed string"')); |
| assert_equals(s, "Hello a cat string"); |
| }, "eval with TrustedScript works."); |
| |
| TrustedTypes.createPolicy("default", { createScript: createScriptJS }, true); |
| test(t => { |
| let s = eval('"Hello transformed untrusted string"'); |
| assert_equals(s, "Hello a cat untrusted string"); |
| }, "eval obeys default policy."); |
| </script> |
| |