report-clips-sample.https.html (3660B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/content-security-policy/support/testharness-helper.js"></script> 7 <meta http-equiv="Content-Security-Policy" 8 content="require-trusted-types-for 'script'; trusted-types default"> 9 </head> 10 <body> 11 <script> 12 const trimmedSampleLength = 40; 13 const evalSample = "evil = '1234567890123456789012345678901234567890;'"; 14 const trimmedEvalSample = evalSample.substring(0, trimmedSampleLength); 15 promise_test(t => { 16 let evil = false; 17 assert_throws_js(EvalError, _ => { 18 eval(evalSample); 19 }); 20 assert_false(evil); 21 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 22 assert_equals(e.sample, `eval|${trimmedEvalSample}`); 23 })); 24 }, `Unsafe eval violation sample is clipped to ${trimmedSampleLength} characters.`); 25 26 promise_test(t => { 27 let evil = false; 28 assert_throws_js(EvalError, _ => { 29 eval?.(evalSample); 30 }); 31 assert_false(evil); 32 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 33 assert_equals(e.sample, `eval|${trimmedEvalSample}`); 34 })); 35 }, `Unsafe indirect eval violation sample is clipped to ${trimmedSampleLength} characters.`); 36 37 const functionBody = "return '1234567890123456789012345678901234567890';"; 38 const sampleWithoutFunctionPrefix = `(a,b\n) {\n${functionBody}\n}`; 39 40 promise_test(t => { 41 assert_throws_js(EvalError, _ => { 42 new Function("a", "b", functionBody); 43 }); 44 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 45 assert_equals(e.sample, `Function|${sampleWithoutFunctionPrefix.substring(0, trimmedSampleLength)}`); 46 })); 47 }, "Function constructor - the other kind of eval - is clipped."); 48 49 promise_test(t => { 50 assert_throws_js(EvalError, _ => { 51 const AsyncFunction = async function() {}.constructor 52 new AsyncFunction("a", "b", functionBody); 53 }); 54 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 55 assert_equals(e.sample, `Function|${sampleWithoutFunctionPrefix.substring(0, trimmedSampleLength)}`); 56 })); 57 }, "Async Function constructor is also clipped."); 58 59 promise_test(t => { 60 assert_throws_js(EvalError, _ => { 61 const GeneratorFunction = function*() {}.constructor 62 new GeneratorFunction("a", "b", functionBody); 63 }); 64 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 65 assert_equals(e.sample, `Function|${sampleWithoutFunctionPrefix.substring(0, trimmedSampleLength)}`); 66 })); 67 }, "Generator Function constructor is also clipped."); 68 69 promise_test(t => { 70 assert_throws_js(EvalError, _ => { 71 const AsyncGeneratorFunction = async function*() {}.constructor 72 new AsyncGeneratorFunction("a", "b", functionBody); 73 }); 74 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 75 assert_equals(e.sample, `Function|${sampleWithoutFunctionPrefix.substring(0, trimmedSampleLength)}`); 76 })); 77 }, "AsyncGenerator Function constructor is also clipped."); 78 79 promise_test(t => { 80 const a = document.createElement("a"); 81 assert_throws_js(TypeError, _ => { 82 a.innerHTML = "1234567890123456789012345678901234567890xxxx"; 83 }); 84 assert_equals(a.innerHTML, ""); 85 return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { 86 assert_equals(e.sample, "Element innerHTML|1234567890123456789012345678901234567890"); 87 })); 88 }, "Trusted Types violation sample is clipped to 40 characters excluded the sink name."); 89 </script> 90 </body> 91 </html>