5 <meta http-equiv=
"Content-Security-Policy"
6 content=
"script-src 'nonce-foobar' 'strict-dynamic'">
7 <title>Bug
1439330 - CSP: eval is not blocked if 'strict-dynamic' is enabled
9 <script nonce=
"foobar" type=
"application/javascript" src=
"/tests/SimpleTest/SimpleTest.js">
11 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css"/>
14 <script nonce=
"foobar">
16 /* Description of the test:
17 * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
18 * check if the eval function is blocked correctly by the CSP.
21 SimpleTest.waitForExplicitFinish();
26 ok(false,
"eval should be blocked by CSP");
29 ok(true,
"eval blocked by CSP");