LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-url-script-src.html - WebKit - Git at Google

 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>

 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">

 <body>

 <script nonce="abc">
   function assert_csp_event_for_element(test, element) {
     assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
     document.addEventListener("securitypolicyviolation", test.step_func(e => {
       if (e.target != element)
         return;
       assert_equals(e.blockedURI, "inline");
       assert_equals(e.effectiveDirective, "script-src-elem");
       assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
       element.remove();
       test.done();
     }));
   }

   function navigate_to_javascript_onload(test, iframe) {
     iframe.addEventListener("load", test.step_func(e => {
       assert_equals(typeof SecurityPolicyViolationEvent, "function");
       iframe.contentDocument.addEventListener(
         "securitypolicyviolation",
         test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
       );

       iframe.src = "javascript:'Fail.'";
     }));
   }

   async_test(t => {
     var i = document.createElement("iframe");
     i.src = "javascript:'Fail.'";

     assert_csp_event_for_element(t, i);

     document.body.appendChild(i);
   }, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");

   async_test(t => {
     var i = document.createElement("iframe");

     assert_csp_event_for_element(t, i);
     navigate_to_javascript_onload(t, i);

     document.body.appendChild(i);
   }, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");

   async_test(t => {
     var i = document.createElement("iframe");
     i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");

     assert_csp_event_for_element(t, i);
     navigate_to_javascript_onload(t, i);

     document.body.appendChild(i);
   }, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");

   async_test(t => {
     var i = document.createElement("iframe");
     i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");

     assert_csp_event_for_element(t, i);
     navigate_to_javascript_onload(t, i);

     document.body.appendChild(i);
   }, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
 </script>
	<!DOCTYPE html>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>

	<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">

	<body>

	<script nonce="abc">
	function assert_csp_event_for_element(test, element) {
	assert_equals(typeof SecurityPolicyViolationEvent, "function", "These tests require 'SecurityPolicyViolationEvent'.");
	document.addEventListener("securitypolicyviolation", test.step_func(e => {
	if (e.target != element)
	return;
	assert_equals(e.blockedURI, "inline");
	assert_equals(e.effectiveDirective, "script-src-elem");
	assert_equals(element.contentDocument.body.innerText, "", "Ensure that 'Fail' doesn't appear in the child document.");
	element.remove();
	test.done();
	}));
	}

	function navigate_to_javascript_onload(test, iframe) {
	iframe.addEventListener("load", test.step_func(e => {
	assert_equals(typeof SecurityPolicyViolationEvent, "function");
	iframe.contentDocument.addEventListener(
	"securitypolicyviolation",
	test.unreached_func("The CSP event should be fired in the embedding document, not in the embedee.")
	);

	iframe.src = "javascript:'Fail.'";
	}));
	}

	async_test(t => {
	var i = document.createElement("iframe");
	i.src = "javascript:'Fail.'";

	assert_csp_event_for_element(t, i);

	document.body.appendChild(i);
	}, "<iframe src='javascript:'> blocked without 'unsafe-inline'.");

	async_test(t => {
	var i = document.createElement("iframe");

	assert_csp_event_for_element(t, i);
	navigate_to_javascript_onload(t, i);

	document.body.appendChild(i);
	}, "<iframe> navigated to 'javascript:' blocked without 'unsafe-inline'.");

	async_test(t => {
	var i = document.createElement("iframe");
	i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'unsafe-inline'");

	assert_csp_event_for_element(t, i);
	navigate_to_javascript_onload(t, i);

	document.body.appendChild(i);
	}, "<iframe src='...'> with 'unsafe-inline' navigated to 'javascript:' blocked in this document");

	async_test(t => {
	var i = document.createElement("iframe");
	i.src = "../support/echo-policy.py?policy=" + encodeURIComponent("script-src 'none'");

	assert_csp_event_for_element(t, i);
	navigate_to_javascript_onload(t, i);

	document.body.appendChild(i);
	}, "<iframe src='...'> without 'unsafe-inline' navigated to 'javascript:' blocked in this document.");
	</script>