-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Expand file tree
/
Copy pathscript-enforcement-001-outerHTML.xhtml
More file actions
35 lines (35 loc) · 1.58 KB
/
Copy pathscript-enforcement-001-outerHTML.xhtml
File metadata and controls
35 lines (35 loc) · 1.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="support/namespaces.js"></script>
<script src="support/passthroughpolicy.js"></script>
<script src="support/script-messages.js"></script>
<link rel="help" href="https://w3c.github.io/trusted-types/dist/spec/#enforcement-in-scripts"/>
<meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';"/>
</head>
<body>
<!--- See script-enforcement-001.html an explanation of this test.
The HTML parser won't create a child element for the span child of
scriptForOuterHTMLTest below, so we instead rely on the XHTML parser. -->
<div>
<script id="scriptForOuterHTMLTest" type="unknown"><span></span></script>
</div>
<div id="container"></div>
<script>
promise_test(async t => {
await promise_rejects_js(t, TypeError, script_messages_for(_ => {
document.createElement("script").outerHTML = LOG_RUN_MESSAGE;
}), "TrustedHTML required.");
await no_script_message_for(_ => {
let script = document.getElementById("scriptForOuterHTMLTest");
script.remove();
script.removeAttribute("type");
script.firstElementChild.outerHTML = passthroughpolicy.createHTML(LOG_RUN_MESSAGE);
document.getElementById("container").appendChild(script);
});
}, "Script source set via TrustedHTML sink Element.outerHTML drops trustworthiness.");
</script>
</body>
</html>