| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/content-security-policy/support/testharness-helper.js"></script> |
| <meta http-equiv="Content-Security-Policy" |
| content="require-trusted-types-for 'script'; trusted-types default"> |
| </head> |
| <body> |
| <script> |
| promise_test(t => { |
| let evil = false; |
| assert_throws_js(EvalError, _ => { |
| eval("evil = '1234567890123456789012345678901234567890';"); |
| }); |
| assert_false(evil); |
| return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { |
| assert_equals(e.sample, "eval|evil = '12345678901234567890123456789012"); |
| })); |
| }, "Unsafe eval violation sample is clipped to 40 characters."); |
| |
| promise_test(t => { |
| assert_throws_js(EvalError, _ => { |
| new Function("a", "b", "return '1234567890123456789012345678901234567890';"); |
| }); |
| return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { |
| assert_equals(e.sample.replace(/\n/g, ""), |
| "Function|(a,b) {return '12345678901234567890123"); |
| })); |
| }, "Function constructor - the other kind of eval - is clipped."); |
| |
| promise_test(t => { |
| const a = document.createElement("a"); |
| assert_throws_js(TypeError, _ => { |
| a.innerHTML = "1234567890123456789012345678901234567890xxxx"; |
| }); |
| assert_equals(a.innerHTML, ""); |
| return waitUntilCSPEventForTrustedTypes(t).then(t.step_func_done(e => { |
| assert_equals(e.sample, "Element innerHTML|1234567890123456789012345678901234567890"); |
| })); |
| }, "Trusted Types violation sample is clipped to 40 characters excluded the sink name."); |
| </script> |
| </body> |
| </html> |