eval-blocked-in-about-blank-iframe.html (1801B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" 6 content="script-src 'self' 'unsafe-inline';"> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 </head> 10 11 <body> 12 13 <p> 14 Eval should be blocked in the iframe, but inline script should be allowed. 15 </p> 16 17 <script> 18 promise_test(async t => { 19 const document_loaded = new Promise(resolve => window.onload = resolve); 20 await document_loaded; 21 22 const eval_error = new Promise((resolve, reject) => { 23 window.addEventListener('message', function(event) { 24 try { 25 assert_not_equals(event.data, 'FAIL', 'eval was executed in the frame'); 26 if (event.data === 'PASS') { 27 resolve(); 28 } 29 } catch (e) { 30 reject(e); 31 } 32 }); 33 }); 34 const csp_violation_report = new Promise((resolve, reject) => { 35 window.addEventListener('message', function(event) { 36 try { 37 if (event.data["violated-directive"]) { 38 assert_equals(event.data["violated-directive"], "script-src"); 39 resolve(); 40 } 41 } catch (e) { 42 reject(e); 43 } 44 }); 45 }); 46 47 frames[0].document.write(` 48 <script> 49 window.addEventListener('securitypolicyviolation', function(e) { 50 parent.postMessage({ 'violated-directive': e.violatedDirective }); 51 }); 52 try { 53 eval('parent.postMessage(\"FAIL\", \"*\");'); 54 } catch (e) { 55 if (e instanceof EvalError) 56 parent.postMessage(\"PASS\", \"*\"); 57 } 58 </sc` + `ript>` 59 ); 60 frames[0].document.close(); 61 62 await eval_error; 63 await csp_violation_report; 64 }); 65 </script> 66 <iframe src="about:blank"></iframe> 67 68 </body> 69 70 </html>