-
Notifications
You must be signed in to change notification settings - Fork 3.3k
/
Copy pathdefault-policy.html
122 lines (116 loc) · 3.77 KB
/
default-policy.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
<!DOCTYPE html>
<html>
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/helper.sub.js"></script>
</head>
<body>
<script>
// Ensure that only the right events trigger violation reports.
// The Promise will resolve, when an event including the string "done" is
// received. The last line of this test file will cause this trigger.
promise_test(t => {
let count = { "null": 0, "undefined": 0, "nodefault": 0 };
return new Promise((resolve, reject) => {
document.addEventListener("securitypolicyviolation", e => {
e.stopPropagation();
// We count the violation reports. We expect one each for "null" and
// "undefined", one each for the "no default" test case above, and one
// for the "done" line at the end, which signals the end of the test run.
if (e.sample.includes("done")) {
resolve(count);
} else if (e.sample.includes("null")) {
count["null"]++;
} else if (e.sample.includes("undefined")) {
count["undefined"]++;
} else if (e.sample.includes("nodefault")) {
count["nodefault"]++;
} else {
reject();
}
});
}).then(counters => {
for (const counter of ["null", "undefined", "nodefault"]) {
assert_equals(counters[counter], testCases.length,
"event count of " + counter);
}
});
}, "Count SecurityPolicyViolation events.");
const testCases = [
[ "script", "src" ],
[ "div", "innerHTML" ],
[ "script", "text" ],
];
// Try each test case _without_ a default policy.
testCases.forEach(c => {
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(TypeError, _ => element[c[1]] = "nodefault");
assert_equals(element[c[1]], "");
}, `${c[0]}.${c[1]} no default policy`);
});
// A trusted type policy that forces a number of edge cases.
function policy(str, trustedTypeName, sink) {
if (str == "throw")
throw RangeError();
else if (str == "null")
return null;
else if (str == "undefined")
return undefined;
else if (str == "typeerror")
return document.bla();
else if (str == "done")
return null;
else {
switch (trustedTypeName) {
case "TrustedScriptURL":
assert_equals(sink, 'HTMLScriptElement src');
break;
case "TrustedHTML":
assert_equals(sink, 'Element innerHTML');
break;
case "TrustedScript":
assert_equals(sink, 'HTMLScriptElement text');
break;
default:
assert_unreached(`Unknown trusted type name '${trustedTypeName}'`);
}
return "sanitized: " + str;
}
}
trustedTypes.createPolicy("default", {
createScriptURL: policy,
createHTML: policy,
createScript: policy
});
testCases.forEach(c => {
const name = `${c[0]}.${c[1]} `;
test(t => {
const element = document.createElement(c[0]);
element[c[1]] = "abc";
assert_equals(element[c[1]], "sanitized: abc");
}, name + "default");
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(TypeError, _ => element[c[1]] = "null");
assert_equals(element[c[1]], "");
}, name + "null");
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(RangeError, _ => element[c[1]] = "throw");
}, name + "throw");
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(TypeError, _ => element[c[1]] = "undefined");
assert_equals(element[c[1]], "");
}, name + "undefined");
test(t => {
const element = document.createElement(c[0]);
assert_throws_js(TypeError, _ => element[c[1]] = "typeerror");
}, name + "typeerror");
});
// Trigger the exit condition in the "Count" promise test above.
try { document.createElement("script").text = "done"; } catch (e) {}
</script>
</body>