script-src-strict_dynamic_eval.html (1263B)
1 <!DOCTYPE HTML> 2 <html> 3 4 <head> 5 <title>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</title> 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> 8 9 <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> 10 </head> 11 12 <body> 13 <h1>Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1> 14 <div id='log'></div> 15 16 <script nonce='dummy'> 17 var evalScriptRan = false; 18 19 async_test(function(t) { 20 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 21 assert_false(evalScriptRan); 22 assert_equals(e.effectiveDirective, 'script-src'); 23 assert_equals(e.blockedURI, 'eval'); 24 })); 25 26 assert_throws_js(Error, 27 function() { 28 try { 29 eval("evalScriptRan = true;"); 30 } catch (e) { 31 throw new Error(); 32 } 33 }); 34 }, "Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`."); 35 </script> 36 </body> 37 38 </html>