chromium/src/third_party/blink/web_tests/external/wpt/trusted-types/trusted-types-source-file-path.tentative.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <head>
   <title>
     Check the reported TrustedType violation's sourceFile.
   </title>
   <script src="/resources/testharness.js"></script>
   <script src="/resources/testharnessreport.js"></script>
   <script src="/common/get-host-info.sub.js"></script>
   <meta http-equiv="Content-Security-Policy"
         content="require-trusted-types-for 'script'; trusted-types id">
   </head>
 <body>

 <script id="to-be-modified"></script>
 <script>
 let toBeModified = document.querySelector("#to-be-modified");

 let id_policy = trustedTypes.createPolicy("id", {
   createHTML: x => x,
   createScriptURL: x => x,
   createScript: x => x,
 });

 function futureViolation() {
   return new Promise(r => addEventListener("securitypolicyviolation", r), {
     once: true
   });
 }

 function futureScript(url) {
   return new Promise(r => {
     let script = document.createElement("script");
     script.src = id_policy.createScriptURL(url);
     script.onload = r;
     document.body.appendChild(script);
   });
 }

 promise_test(async t => {
   let future_violation = futureViolation();
   assert_throws_js(TypeError, _ => {
     document.getElementById("to-be-modified").innerHTML = "'test'";
   });
   let violation = await future_violation;
   assert_equals(violation.sourceFile, location.href)
 }, "same-document script")

 promise_test(async t => {
   let script_origin = get_host_info().HTTP_ORIGIN;
   let script_src = script_origin +
     "/trusted-types/support/set-inner-html.js";
   let script = await futureScript(script_src);
   let future_violation = futureViolation();
   assert_throws_js(TypeError, () => setInnerHtml(toBeModified, "'test'"));
   let violation = await future_violation;
   assert_equals(violation.sourceFile, script_src);
 }, "same-origin script")

 promise_test(async t => {
   let script_origin = get_host_info().HTTP_REMOTE_ORIGIN;
   let script_src = script_origin +
     "/trusted-types/support/set-inner-html.js";
   let script = await futureScript(script_src);
   let future_violation = futureViolation();
   assert_throws_js(TypeError, () => setInnerHtml(toBeModified, "'test'"));
   let violation = await future_violation;
   assert_equals(violation.sourceFile, script_src);
 }, "cross-origin script")

 // TODO(arthursonzogni): Check what happens with redirects. Do we report the
 // request's URL or the response's URL?

 </script>
 </body>
	<!DOCTYPE html>
	<head>
	<title>
	Check the reported TrustedType violation's sourceFile.
	</title>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script src="/common/get-host-info.sub.js"></script>
	<meta http-equiv="Content-Security-Policy"
	content="require-trusted-types-for 'script'; trusted-types id">
	</head>
	<body>

	<script id="to-be-modified"></script>
	<script>
	let toBeModified = document.querySelector("#to-be-modified");

	let id_policy = trustedTypes.createPolicy("id", {
	createHTML: x => x,
	createScriptURL: x => x,
	createScript: x => x,
	});

	function futureViolation() {
	return new Promise(r => addEventListener("securitypolicyviolation", r), {
	once: true
	});
	}

	function futureScript(url) {
	return new Promise(r => {
	let script = document.createElement("script");
	script.src = id_policy.createScriptURL(url);
	script.onload = r;
	document.body.appendChild(script);
	});
	}

	promise_test(async t => {
	let future_violation = futureViolation();
	assert_throws_js(TypeError, _ => {
	document.getElementById("to-be-modified").innerHTML = "'test'";
	});
	let violation = await future_violation;
	assert_equals(violation.sourceFile, location.href)
	}, "same-document script")

	promise_test(async t => {
	let script_origin = get_host_info().HTTP_ORIGIN;
	let script_src = script_origin +
	"/trusted-types/support/set-inner-html.js";
	let script = await futureScript(script_src);
	let future_violation = futureViolation();
	assert_throws_js(TypeError, () => setInnerHtml(toBeModified, "'test'"));
	let violation = await future_violation;
	assert_equals(violation.sourceFile, script_src);
	}, "same-origin script")

	promise_test(async t => {
	let script_origin = get_host_info().HTTP_REMOTE_ORIGIN;
	let script_src = script_origin +
	"/trusted-types/support/set-inner-html.js";
	let script = await futureScript(script_src);
	let future_violation = futureViolation();
	assert_throws_js(TypeError, () => setInnerHtml(toBeModified, "'test'"));
	let violation = await future_violation;
	assert_equals(violation.sourceFile, script_src);
	}, "cross-origin script")

	// TODO(arthursonzogni): Check what happens with redirects. Do we report the
	// request's URL or the response's URL?

	</script>
	</body>