script-src-event-handler-on-inline-script.html (1664B)
1 <!DOCTYPE html> 2 <meta http-equiv="Content-Security-Policy" 3 content="script-src 'nonce-dummy' 'unsafe-hashes' 4 'sha256-KMqmvVOJ9XW5OiOAYYYPPTFk+Zj/3KrlSEyqWgqibwU=' <!-- 'window.eventHandlerExecuted = true' --> 5 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' <!-- empty string -->"> 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> 8 <script nonce="dummy"> 9 ["div", "script"].forEach(tag => { 10 test(t => { 11 t.add_cleanup(_ => { window.eventHandlerExecuted = false}); 12 let el = document.createElement(tag); 13 el.textContent = `/* ${tag} */`; 14 el.setAttribute("onclick", "window.eventHandlerExecuted = true"); 15 el.dispatchEvent(new Event('click')); 16 assert_true(window.eventHandlerExecuted); 17 }, `Use the hash of a non-empty event handler content attribute (<${tag}> element).`); 18 19 promise_test(async t => { 20 let violations = []; 21 let pushViolation = e => violations.push(e.violatedDirective); 22 window.addEventListener("securitypolicyviolation", pushViolation); 23 t.add_cleanup(_ => 24 window.removeEventListener("securitypolicyviolation", pushViolation) 25 ); 26 let el = document.createElement(tag); 27 el.textContent = `/* ${tag} */`; 28 el.setAttribute("onclick", ""); 29 el.dispatchEvent(new Event('click')); 30 await new Promise(resolve => 31 requestAnimationFrame(_ => requestAnimationFrame(resolve))); 32 assert_array_equals(violations, []); 33 }, `Use the hash of an empty event handler content attribute (<${tag}> element).`); 34 }); 35 </script>