chromium/src/third_party/blink/web_tests/external/wpt/content-security-policy/unsafe-eval/eval-in-iframe.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <html>

 <head>
     <title>eval-in-iframe</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>
 </head>

 <body>
     <p>This test checks that iframes correctly block the eval function.</p>
     <script>
       var tests = [
           { "name": "script-src blocks eval unless 'unsafe-eval' is specified.",
             "csp": "script-src 'unsafe-inline'" },
           { "name": "default-src blocks eval unless 'unsafe-eval' is specified.",
             "csp": "default-src 'unsafe-inline'" },
       ];

       tests.forEach(test => {
           async_test(t => {
               var child = document.createElement('iframe');
               child.src = '/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp);
               window.addEventListener('message', t.step_func(e => {
                   if (e.source != child.contentWindow)
                       return;
                   if (e.data === "eval blocked") {
                       t.done();
                   }
                   else if (e.data === "eval allowed") {
                       assert_unreached("Eval code was executed in iframe");
                   }
               }));
               document.body.appendChild(child);
           }, test.name);
       });
     </script>
 </body>

 </html>
	<!DOCTYPE html>
	<html>

	<head>
	<title>eval-in-iframe</title>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	</head>

	<body>
	<p>This test checks that iframes correctly block the eval function.</p>
	<script>
	var tests = [
	{ "name": "script-src blocks eval unless 'unsafe-eval' is specified.",
	"csp": "script-src 'unsafe-inline'" },
	{ "name": "default-src blocks eval unless 'unsafe-eval' is specified.",
	"csp": "default-src 'unsafe-inline'" },
	];

	tests.forEach(test => {
	async_test(t => {
	var child = document.createElement('iframe');
	child.src = '/content-security-policy/unsafe-eval/support/echo-eval-with-policy.py?policy=' + encodeURIComponent(test.csp);
	window.addEventListener('message', t.step_func(e => {
	if (e.source != child.contentWindow)
	return;
	if (e.data === "eval blocked") {
	t.done();
	}
	else if (e.data === "eval allowed") {
	assert_unreached("Eval code was executed in iframe");
	}
	}));
	document.body.appendChild(child);
	}, test.name);
	});
	</script>
	</body>

	</html>