Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/isolated-world-eval-csp.js 

function testEval(expectBlocked) {
  let evalBlocked;
  try {
    const x = eval('200');
    evalBlocked = (x != 200);
  } catch(e) {
    console.log(e);
    evalBlocked = true;
  }
  finally {
    if (expectBlocked === evalBlocked) {
      if (expectBlocked)
        console.log('PASS: eval blocked as expected.');
      else
        console.log('PASS: eval allowed as expected.');
    } else {
      if (expectBlocked)
        console.log('FAIL: eval allowed unexpectedly.');
      else
        console.log('FAIL: eval blocked unexpectedly.');
    }
    window.postMessage('next', '*');
  }
}

let isolatedWorldId = 1;
const isolatedWorldSecurityOrigin = 'chrome-extensions://123';

function testEvalInIsolatedWorld(expectBlocked) {
  const expectBlockedStr = expectBlocked ? 'true' : 'false';
  testRunner.evaluateScriptInIsolatedWorld(
      isolatedWorldId,
      String(testEval.toString()) + `\ntestEval(${expectBlockedStr});`);
}

const tests = [
  function() {
    console.log(
        'Testing main world. Eval should be blocked by main world CSP.');
    testEval(true);
  },
  function() {
    // TODO(karandeepb): Ideally we should use the main world CSP in this case.
    console.log(
        'Testing isolated world with no csp. Eval should be allowed.');
    testRunner.setIsolatedWorldInfo(isolatedWorldId, null, null);
    testEvalInIsolatedWorld(false);

    // We use a different isolated world ID for each test since the eval-based
    // CSP checks are set-up when a v8::context is initialized. This happens for
    // an isolated world when a script is executed in it for the first time.
    isolatedWorldId++;
  },
  function() {
    console.log('Testing isolated world with strict csp.');
    testRunner.setIsolatedWorldInfo(
        isolatedWorldId, isolatedWorldSecurityOrigin, 'script-src \'none\'');
    testEvalInIsolatedWorld(true);

    testRunner.setIsolatedWorldInfo(isolatedWorldId, null, null);
    isolatedWorldId++;
  },
  function() {
    console.log('Testing isolated world with permissive csp.');
    testRunner.setIsolatedWorldInfo(
        isolatedWorldId, isolatedWorldSecurityOrigin,
        'script-src \'unsafe-eval\'');
    testEvalInIsolatedWorld(false);

    testRunner.setIsolatedWorldInfo(isolatedWorldId, null, null);
    isolatedWorldId++;
  },
];

// This test is meaningless without testRunner.
if (window.testRunner) {
  testRunner.dumpAsText();
  testRunner.waitUntilDone();

  let currentTest = 0;
  window.addEventListener('message', function(e) {
    if (e.data == 'next') {
      // Move to the next test.
      currentTest++;
      if (currentTest == tests.length) {
        testRunner.notifyDone();
        return;
      }

      // Move to the next sub-test.
      tests[currentTest]();
    }
  }, false);

  tests[0]();
}