Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb

Differential Revision: https://phabricator.services.mozilla.com/D1011

dom/security/test/csp/mochitest.ini

@@ -249,6 +249,8 @@ prefs =
 [test_bug885433.html]
 [test_bug888172.html]
 [test_evalscript.html]
+[test_evalscript_blocked_by_strict_dynamic.html]
+[test_evalscript_allowed_by_strict_dynamic.html]
 [test_frameancestors.html]
 [test_frameancestors_userpass.html]
 skip-if = toolkit == 'android' # Times out, not sure why (bug 1008445)

dom/security/test/csp/test_evalscript_allowed_by_strict_dynamic.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" 
+        content="script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval'">
+  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
+  </title>
+  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+  </script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' 'unsafe-eval' CSP and
+ * check if the eval function is allowed correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+  eval("1");
+  ok(true, "eval allowed by CSP");
+}
+catch (ex) {
+  ok(false, "eval should be allowed by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>

dom/security/test/csp/test_evalscript_blocked_by_strict_dynamic.html

@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta http-equiv="Content-Security-Policy" 
+        content="script-src 'nonce-foobar' 'strict-dynamic'">
+  <title>Bug 1439330  - CSP: eval is not blocked if 'strict-dynamic' is enabled
+  </title>
+  <script nonce="foobar" type="application/javascript" src="/tests/SimpleTest/SimpleTest.js">
+  </script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+</head>
+<body>
+<script nonce="foobar">
+
+/* Description of the test:
+ * We apply the script-src 'nonce-foobar' 'strict-dynamic' CSP and
+ * check if the eval function is blocked correctly by the CSP.
+ */
+
+SimpleTest.waitForExplicitFinish();
+
+// start the test
+try {
+  eval("1");
+  ok(false, "eval should be blocked by CSP");
+}
+catch (ex) {
+  ok(true, "eval blocked by CSP");
+}
+
+SimpleTest.finish();
+
+</script>
+</body>
+</html>