report-only-unsafe-eval.html (1267B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script nonce='abc' src="/resources/testharness.js"></script> 5 <script nonce='abc' src="/resources/testharnessreport.js"></script> 6 <!-- CSP headers 7 Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'nonce-abc'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} 8 --> 9 </head> 10 <body> 11 <script nonce='abc'> 12 var t = async_test("Eval is allowed because the CSP is report-only"); 13 14 var t_spv = async_test("SPV event is still raised"); 15 t_spv.step_timeout(t_spv.unreached_func("SPV event has not been received"), 3000); 16 document.addEventListener('securitypolicyviolation', t_spv.step_func(e => { 17 assert_equals(e.violatedDirective, "script-src"); 18 assert_equals(e.blockedURI, "eval"); 19 t_spv.done(); 20 })); 21 22 try { 23 eval("t.done()"); 24 } catch { 25 t.step(t.unreached_func("The eval should have executed succesfully")); 26 t_spv.step(t_spv.unreached_func("The eval execution should have triggered a securitypolicyviolation event")); 27 } 28 </script> 29 <script nonce='abc' async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27unsafe-inline%27'></script> 30 </body> 31 </html>