script-src-strict_dynamic_new_function.html (1261B)
1 <!DOCTYPE HTML> 2 <html> 3 4 <head> 5 <title>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</title> 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> 8 9 <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> 10 </head> 11 12 <body> 13 <h1>Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`.</h1> 14 <div id='log'></div> 15 16 <script nonce='dummy'> 17 var newFunctionScriptRan = false; 18 19 async_test(function(t) { 20 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 21 assert_false(newFunctionScriptRan); 22 assert_equals(e.effectiveDirective, 'script-src'); 23 })); 24 25 assert_throws_js(Error, 26 function() { 27 try { 28 new Function('newFunctionScriptRan = true;')(); 29 } catch (e) { 30 throw new Error(); 31 } 32 }); 33 }, "Script injected via 'eval' is not allowed with 'strict-dynamic' without 'unsafe-eval'."); 34 </script> 35 </body> 36 37 </html>