dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html

   1 <!DOCTYPE html>
   2 <html>
   3 <head>
   4   <meta charset="utf-8">
   5   <meta http-equiv="Content-Security-Policy"
   6         content="script-src 'nonce-foobar' 'strict-dynamic'">
   7   <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
   8   </title>
   9   <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
  10   </script>
  11   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
  12 </head>
  13 <body>
  14 <script nonce="foobar">
  15
  16 /* Description of the test:
  17  * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
  18  * check if the eval function is blocked correctly by the CSP.
  19  */
  20
  21 SimpleTest.waitForExplicitFinish();
  22
  23 // start the test
  24 try {
  25   eval("1");
  26   ok(false, "eval should be blocked by CSP");
  27 }
  28 catch (ex) {
  29   ok(true, "eval blocked by CSP");
  30 }
  31
  32 SimpleTest.finish();
  33
  34 </script>
  35 </body>
  36 </html>