| <!DOCTYPE HTML> |
| <html> |
| |
| <head> |
| <title>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</title> |
| <script src='/resources/testharness.js' nonce='dummy'></script> |
| <script src='/resources/testharnessreport.js' nonce='dummy'></script> |
| |
| <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'unsafe-eval' --> |
| </head> |
| |
| <body> |
| <h1>Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`.</h1> |
| <div id='log'></div> |
| |
| <script nonce='dummy'> |
| var newFunctionScriptRan = false; |
| async_test(function(t) { |
| window.addEventListener('securitypolicyviolation', t.unreached_func('No CSP violation report has fired.')); |
| try { |
| new Function('newFunctionScriptRan = true;')(); |
| } catch (e) { |
| assert_unreached("`new Function()` should be allowed with `strict-dynamic` with `unsafe-eval`."); |
| } |
| assert_true(newFunctionScriptRan); |
| t.done(); |
| }, "Script injected via `new Function()` is allowed with `strict-dynamic` with `unsafe-eval`."); |
| </script> |
| </body> |
| |
| </html> |