test_evalscript_blocked_by_strict_dynamic.html (899B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <meta charset="utf-8"> 5 <meta http-equiv="Content-Security-Policy" 6 content="script-src 'nonce-foobar' 'strict-dynamic'"> 7 <title>Bug 1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled 8 </title> 9 <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"> 10 </script> 11 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> 12 </head> 13 <body> 14 <script nonce="foobar"> 15 16 /* Description of the test: 17 * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and 18 * check if the eval function is blocked correctly by the CSP. 19 */ 20 21 SimpleTest.waitForExplicitFinish(); 22 23 // start the test 24 try { 25 // eslint-disable-next-line no-eval 26 eval("1"); 27 ok(false, "eval should be blocked by CSP"); 28 } 29 catch (ex) { 30 ok(true, "eval blocked by CSP"); 31 } 32 33 SimpleTest.finish(); 34 35 </script> 36 </body> 37 </html>