testing/web-platform/tests/trusted-types/trusted-types-report-only.tentative.https.html
author Daniel Vogelheim <vogelheim@chromium.org>
Wed, 06 Mar 2019 12:32:58 +0000
changeset 464634 290e807883565ef8c51ed15fe87bec02cc3152e3
parent 464300 421b2d61556853b4914612860935627cda2ab40e
permissions -rw-r--r--
Bug 1526693 [wpt PR 15275] - [trusted types] Support reporting and report-only mode., a=testonly Automatic update from web-platform-tests [trusted types] Support reporting and report-only mode. Bug: 739170 Change-Id: I7c1e4db4f22166692d9fdd90c60d2ef61635033b Reviewed-on: https://chromium-review.googlesource.com/c/1456012 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#634145} -- wpt-commits: 95c2354431560bda34b98ed0e1efee2aaa24e1a4 wpt-pr: 15275

<!DOCTYPE html>
<head>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="/content-security-policy/support/testharness-helper.js"></script>
</head>
<body>

  <!-- Some elements for the tests to act on. -->
  <a id="anchor" href="#">anchor</a>
  <div id="div"></div>
  <script id="script-src" src=""></script>
  <script id="script"></script>

  <script>
  // CSP insists the "trusted-types: ..." directives are deliverd as headers
  // (rather than as "<meta http-equiv" tags). This test assumes the following
  // headers are set in the .headers file:
  //
  //   Content-Security-Policy-Report-Only: trusted-types ...; report-uri ...

  // Return function that returns a promise that resolves on the given
  // violation report.
  function expect_violation(filter) {
    return new Promise((resolve, reject) => {
      function handler(e) {
        if (e.originalPolicy.includes(filter)) {
          document.removeEventListener("securitypolicyviolation", handler);
          e.stopPropagation();
          resolve(e);
        }
      }
      document.addEventListener("securitypolicyviolation", handler);
    });
  }

  // A sample policy we use to test TrustedTypes.createPolicy behaviour.
  const id = x => x;
  const policy = TrustedTypes.createPolicy("two", {
    createHTML: id,
    createScriptURL: id,
    createURL: id,
    createScript: id,
  });


  promise_test(t => {
    let p = expect_violation("trusted-types two");
    document.getElementById("anchor").href = "#abc";
    assert_true(document.getElementById("anchor").href.endsWith("#abc"));
    return p;
  }, "Trusted Type violation report-only: assign string to url");

  promise_test(t => {
    let p = expect_violation("trusted-types two");
    document.getElementById("div").innerHTML = "abc";
    assert_equals(document.getElementById("div").textContent, "abc");
    return p;
  }, "Trusted Type violation report-only: assign string to html");

  promise_test(t => {
    let p = expect_violation("trusted-types two");
    document.getElementById("script-src").src = "#";
    assert_true(document.getElementById("script-src").src.endsWith("#"));
    return p;
  }, "Trusted Type violation report-only: assign string to script.src");

  promise_test(t => {
    let p = expect_violation("trusted-types two");
    document.getElementById("script").innerHTML = "con" + "sole.log('Hello');";
    assert_true(document.getElementById("script").textContent.startsWith("consol"));
    return p;
  }, "Trusted Type violation report-only: assign string to script content");

  promise_test(t => {
    let p = expect_violation("trusted-types two");
    document.getElementById("anchor").href = "#def";
    return p.then(report => {
      assert_equals(report.documentURI, "" + window.location);
      assert_equals(report.disposition, "report");
      assert_equals(report.effectiveDirective, "trusted-types");
      assert_equals(report.violatedDirective, "trusted-types");
      assert_true(report.originalPolicy.startsWith("trusted-types two;"));
    });
  }, "Trusted Type violation report: check report contents");

  </script>

</body>