<?php
header("Expires: Thu, 01 Dec 2003 16:00:00 GMT");
header("Cache-Control: no-cache, must-revalidate");
header("Pragma: no-cache");
if ($_GET["csp"]) {
$csp = $_GET["csp"];
// If the magic quotes option is enabled, the CSP could be escaped and
// the test would fail.
if (get_magic_quotes_gpc()) {
$csp = stripslashes($csp);
}
header("Content-Security-Policy: " . $csp);
} else if ($_GET["type"] == "multiple-headers") {
header("Content-Security-Policy: connect-src 'none'");
header("Content-Security-Policy: script-src 'self'", false);
}
if ($_GET["expectation"] != "none") {
?>
importScripts("/resources/testharness.js");
<?php
}
if ($_GET["type"] == "eval") {
if ($_GET["expectation"] == "none") {
?>
try {
eval("1+1");
postMessage({"state": "allowed", "msg": "`eval()` executed with '<?php echo $_GET["csp"] ?>'"});
} catch (e) {
postMessage({"state": "blocked", "msg": "`eval()` threw '" + e.name + "' with '<?php echo $_GET["csp"] ?>'"});
}
<?php
} else if ($_GET["expectation"] == "blocked") {
?>
test(function (t) {
assert_throws_js(EvalError,
function () { eval("1 + 1"); },
"`eval()` should throw 'EvalError'.");
assert_throws_js(EvalError,
function () { var x = new Function("1 + 1"); },
"`new Function()` should throw 'EvalError'.");
assert_equals(setTimeout("assert_unreached('setTimeout([string]) should not execute.')", 0), 0, "`setTimeout([string])` should return 0.");
}, "`eval()` with '<?php echo $_GET["csp"] ?>' blocked");
<?php
} else {
?>
importScripts("/resources/testharness.js");
test(function (t) {
var x = 0;
x = eval("1 + 1");
assert_equals(x, 2);
}, "`eval()` with '<?php echo $_GET["csp"] ?>' allowed");
<?php
}
}
if ($_GET["expectation"] != "none") {
?>
// An explicit `done()` is required for Workers.
done();
<?php
}
?>
Codebase Browser
chromium