1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
<!DOCTYPE html>
<html>
<head>
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self';">
<title>filesystem-urls-do-not-match-self</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src='../support/logTest.sub.js?logs=["violated-directive=script-src-elem"]'></script>
<script src="../support/alertAssert.sub.js?alerts=[]"></script>
</head>
<body>
<p>
filesystem: URLs are same-origin with the page in which they were created, but explicitly do not match the 'self' or '*' source in CSP directives because they are more akin to 'unsafe-inline' content..
</p>
<script>
window.addEventListener('securitypolicyviolation', function(e) {
log("violated-directive=" + e.violatedDirective);
});
if(!window.webkitRequestFileSystem) {
t_log = async_test();
t_log.set_status(t_log.NOTRUN, "No filesystem:// support, cannot run test.");
t_log.phase = t_log.phases.HAS_RESULT;
t_log.done();
log("violated-directive=script-src"); // simulate needed logs to pass test
} else {
function fail() {
alert_assert("FAIL!");
}
window.webkitRequestFileSystem(
TEMPORARY, 1024 * 1024 /*1MB*/ , function(fs) {
fs.root.getFile('fail.js', {
create: true
}, function(fileEntry) {
fileEntry.createWriter(function(fileWriter) {
fileWriter.onwriteend = function(e) {
var script = document.createElement('script');
script.src = fileEntry.toURL('application/javascript');
document.body.appendChild(script);
};
// Create a new Blob and write it to pass.js.
var b = new Blob(['fail();'], {
type: 'application/javascript'
});
fileWriter.write(b);
});
});
});
}
</script>
<div id="log"></div>
</body>
</html>
|
