eval-in-iframe.html (1744B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <title>eval-in-iframe</title> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <script src="/common/utils.js"></script> 9 </head> 10 11 <body> 12 <p>This test checks that the CSP of calleeRealm only (and not of 13 the callerRealm) is checked for allowing eval.</p> 14 <script> 15 let tests = [ 16 { "directive": "script-src", "csp": "script-src 'unsafe-inline'" }, 17 { "directive": "default-src", "csp": "default-src 'unsafe-inline'" }, 18 ]; 19 20 tests.forEach(test => { 21 let child = document.createElement('iframe'); 22 child.src = '/content-security-policy/unsafe-eval/support' + 23 '/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp); 24 document.body.appendChild(child); 25 let msg = new Promise(resolve => { 26 window.addEventListener('message', e => { 27 if (e.source == child.contentWindow) 28 resolve(e.data); 29 }); 30 }); 31 32 promise_test(async t => { 33 assert_equals((await msg).evalInIframe, "blocked"); 34 }, `(${test.directive}) Eval code should not execute ` + 35 `from iframe in iframe`); 36 promise_test(async t => { 37 assert_equals((await msg).evalInParent, "allowed"); 38 }, `(${test.directive}) Eval code should execute ` + 39 `from iframe in parent`); 40 promise_test(async t => { 41 assert_throws_js(child.contentWindow.EvalError, _ => 42 child.contentWindow.eval('1+1')); 43 }, `(${test.directive}) Eval code should not execute ` + 44 `from parent in iframe`); 45 }); 46 </script> 47 </body> 48 49 </html>