[Gecko Bug 1940493] Implement trusted-types-eval CSP script-src keyword.

content-security-policy/script-src/script-src-trusted_types_eval_DedicatedWorker.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div id="log"></div>
+<script>
+  // WebKit test runner assumes the tests always run in the same order, so make
+  // sure fetch_tests_from_worker tests run sequentially.
+  setup({explicit_done: true});
+  (async function() {
+    await fetch_tests_from_worker(new Worker("support/script-src-trusted_types_eval_with_require_trusted_types_eval_DedicatedWorker.js"));
+    await fetch_tests_from_worker(new Worker("support/script-src-trusted_types_eval_without_require_trusted_types_eval_DedicatedWorker.js"));
+    await fetch_tests_from_worker(new Worker("support/script-src-trusted_types_eval_with_report_only_require_trusted_types_eval_DedicatedWorker.js"));
+    done();
+  })();
+</script>

content-security-policy/script-src/support/script-src-trusted_types_eval_with_report_only_require_trusted_types_eval_DedicatedWorker.js

@@ -0,0 +1,28 @@
+const testSetupPolicy = trustedTypes.createPolicy("p", { createScriptURL: s => s });
+importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
+
+trustedTypes.createPolicy('default', {createScript: s => s});
+
+var evalScriptRan = false;
+
+async_test(function(t) {
+  var eventHandler = t.step_func_done(function(e) {
+    assert_false(evalScriptRan);
+    assert_equals(e.effectiveDirective, 'script-src');
+    assert_equals(e.blockedURI, 'eval');
+  });
+  self.addEventListener('securitypolicyviolation', eventHandler);
+  t.add_cleanup(() => {
+    self.removeEventListener('securitypolicyviolation', eventHandler);
+  });
+  assert_throws_js(Error,
+    function() {
+      try {
+        eval("evalScriptRan = true;");
+      } catch (e) {
+        throw new Error();
+    }
+  });
+}, "Scripts injected via direct `eval` are not allowed with `trusted-types-eval` when `require-trusted-types-for 'script'` is report only (Dedicated Worker).");
+
+done();

content-security-policy/script-src/support/script-src-trusted_types_eval_with_report_only_require_trusted_types_eval_DedicatedWorker.js.headers

@@ -0,0 +1,2 @@
+Content-Security-Policy: script-src 'self' 'trusted-types-eval';
+Content-Security-Policy-Report-Only: require-trusted-types-for 'script';

content-security-policy/script-src/support/script-src-trusted_types_eval_with_require_trusted_types_eval_DedicatedWorker.js

@@ -0,0 +1,23 @@
+const testSetupPolicy = trustedTypes.createPolicy("p", { createScriptURL: s => s });
+importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
+
+trustedTypes.createPolicy('default', {createScript: s => s});
+
+var evalScriptRan = false;
+
+async_test(function(t) {
+  var eventHandler = t.unreached_func('No CSP violation report has fired.');
+  self.addEventListener('securitypolicyviolation', eventHandler);
+  t.add_cleanup(() => {
+    self.removeEventListener('securitypolicyviolation', eventHandler);
+  });
+  try {
+    eval("evalScriptRan = true;");
+  } catch (e) {
+    assert_unreached("`eval` should be allowed with `trusted-types-eval` and `require-trusted-types-for 'script'`.");
+  }
+  assert_true(evalScriptRan);
+  t.done();
+}, "Script injected via direct `eval` is allowed with `trusted-types-eval` and `require-trusted-types-for 'script'` (Dedicated Worker).");
+
+done();

content-security-policy/script-src/support/script-src-trusted_types_eval_with_require_trusted_types_eval_DedicatedWorker.js.headers

@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'trusted-types-eval'; require-trusted-types-for 'script';

content-security-policy/script-src/support/script-src-trusted_types_eval_without_require_trusted_types_eval_DedicatedWorker.js

@@ -0,0 +1,28 @@
+const testSetupPolicy = trustedTypes.createPolicy("p", { createScriptURL: s => s });
+importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
+
+trustedTypes.createPolicy('default', {createScript: s => s});
+
+var evalScriptRan = false;
+
+async_test(function(t) {
+  var eventHandler = t.step_func_done(function(e) {
+    assert_false(evalScriptRan);
+    assert_equals(e.effectiveDirective, 'script-src');
+    assert_equals(e.blockedURI, 'eval');
+  });
+  self.addEventListener('securitypolicyviolation', eventHandler);
+  t.add_cleanup(() => {
+    self.removeEventListener('securitypolicyviolation', eventHandler);
+  });
+  assert_throws_js(Error,
+    function() {
+      try {
+        eval("evalScriptRan = true;");
+      } catch (e) {
+        throw new Error();
+    }
+  });
+}, "Scripts injected via direct `eval` are not allowed with `trusted-types-eval` without `require-trusted-types-for 'script'` (DedicatedWorker).");
+
+done();

content-security-policy/script-src/support/script-src-trusted_types_eval_without_require_trusted_types_eval_DedicatedWorker.js.headers

@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'trusted-types-eval';