michael@0: // some javascript for the CSP eval() tests
michael@0: // all of these evals should succeed, as the document loading this script
michael@0: // has script-src 'self' 'unsafe-eval'
michael@0: 
michael@0: function logResult(str, passed) {
michael@0:   var elt = document.createElement('div');
michael@0:   var color = passed ? "#cfc;" : "#fcc";
michael@0:   elt.setAttribute('style', 'background-color:' + color + '; width:100%; border:1px solid black; padding:3px; margin:4px;');
michael@0:   elt.innerHTML = str;
michael@0:   document.body.appendChild(elt);
michael@0: }
michael@0: 
michael@0: // callback for when stuff is allowed by CSP
michael@0: var onevalexecuted = (function(window) {
michael@0:     return function(shouldrun, what, data) {
michael@0:       window.parent.scriptRan(shouldrun, what, data);
michael@0:       logResult((shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data, shouldrun);
michael@0:     };})(window);
michael@0: 
michael@0: // callback for when stuff is blocked
michael@0: var onevalblocked = (function(window) {
michael@0:     return function(shouldrun, what, data) {
michael@0:       window.parent.scriptBlocked(shouldrun, what, data);
michael@0:       logResult((shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data, !shouldrun);
michael@0:     };})(window);
michael@0: 
michael@0: 
michael@0: // Defer until document is loaded so that we can write the pretty result boxes
michael@0: // out.
michael@0: addEventListener('load', function() {
michael@0:   // setTimeout(String) test  -- should pass
michael@0:   try {
michael@0:     setTimeout('onevalexecuted(true, "setTimeout(String)", "setTimeout with a string was enabled.");', 10);
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "setTimeout(String)",
michael@0:                   "setTimeout with a string was blocked");
michael@0:   }
michael@0: 
michael@0:   // setTimeout(function) test  -- should pass
michael@0:   try {
michael@0:     setTimeout(function() {
michael@0:           onevalexecuted(true, "setTimeout(function)",
michael@0:                         "setTimeout with a function was enabled.")
michael@0:         }, 10);
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "setTimeout(function)",
michael@0:                   "setTimeout with a function was blocked");
michael@0:   }
michael@0: 
michael@0:   // eval() test
michael@0:   try {
michael@0:     eval('onevalexecuted(true, "eval(String)", "eval() was enabled.");');
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "eval(String)",
michael@0:                   "eval() was blocked");
michael@0:   }
michael@0: 
michael@0:   // eval(foo,bar) test
michael@0:   try {
michael@0:     eval('onevalexecuted(true, "eval(String,scope)", "eval() was enabled.");',1);
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "eval(String,object)",
michael@0:                   "eval() with scope was blocked");
michael@0:   }
michael@0: 
michael@0:   // [foo,bar].sort(eval) test
michael@0:   try {
michael@0:     ['onevalexecuted(true, "[String, obj].sort(eval)", "eval() was enabled.");',1].sort(eval);
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "[String, obj].sort(eval)",
michael@0:                   "eval() with scope via sort was blocked");
michael@0:   }
michael@0: 
michael@0:   // [].sort.call([foo,bar], eval) test
michael@0:   try {
michael@0:     [].sort.call(['onevalexecuted(true, "[String, obj].sort(eval)", "eval() was enabled.");',1], eval);
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "[].sort.call([String, obj], eval)",
michael@0:                   "eval() with scope via sort/call was blocked");
michael@0:   }
michael@0: 
michael@0:   // new Function() test
michael@0:   try {
michael@0:     var fcn = new Function('onevalexecuted(true, "new Function(String)", "new Function(String) was enabled.");');
michael@0:     fcn();
michael@0:   } catch (e) {
michael@0:     onevalblocked(true, "new Function(String)",
michael@0:                   "new Function(String) was blocked.");
michael@0:   }
michael@0: 
michael@0:   function checkResult() {
michael@0:     //alert(bar);
michael@0:     if (bar) {
michael@0:       onevalexecuted(true, "setTimeout(eval, 0, str)",
michael@0:                       "setTimeout(eval, 0, string) was enabled.");
michael@0:     } else {
michael@0:       onevalblocked(true, "setTimeout(eval, 0, str)",
michael@0:                           "setTimeout(eval, 0, str) was blocked.");
michael@0:     }
michael@0:   }
michael@0: 
michael@0:   var bar = false;
michael@0: 
michael@0:   function foo() {
michael@0:     bar = true;
michael@0:   }
michael@0: 
michael@0:   window.foo = foo;
michael@0: 
michael@0:   // setTimeout(eval, 0, str)
michael@0: 
michael@0:   // error is not catchable here
michael@0: 
michael@0:   setTimeout(eval, 0, 'window.foo();');
michael@0: 
michael@0:   setTimeout(checkResult.bind(this), 0);
michael@0: 
michael@0: }, false);
michael@0: 
michael@0: 
michael@0: