Bug 1620238 [wpt PR 22102] - [Trusted Types] Gate eval on require-tt-for., a=testonly

Automatic update from web-platform-tests
[Trusted Types] Gate eval on require-tt-for.

Also, tidy up enforcement headers in WPTs, update one.

Bug: 1058437
Change-Id: Ic24b0297af04230562b104fd6664387cba5b169b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2089772
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#747320}

--

wpt-commits: 261dd95ad3bf4b36b971fe4832dc2f313c491448
wpt-pr: 22102

testing/web-platform/tests/trusted-types/csp-block-eval.tentative.html

@@ -6,7 +6,7 @@
   <script nonce="abc" src="support/helper.sub.js"></script>
 
   <!-- Note: Trusted Types enforcement, and a CSP that does not blanket-allow eval. -->
-  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'; require-trusted-types-for 'script'">
 </head>
 <body>
 <script nonce="abc">

testing/web-platform/tests/trusted-types/eval-csp-tt-default-policy.tentative.html

@@ -4,7 +4,7 @@
   <script nonce="abc" src="/resources/testharness.js"></script>
   <script nonce="abc" src="/resources/testharnessreport.js"></script>
   <script nonce="abc" src="support/helper.sub.js"></script>
-  <meta http-equiv="Content-Security-Policy" content="trusted-types *">
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'">
 </head>
 <body>
 <script>
@@ -16,7 +16,7 @@
   }, "eval of TrustedScript works.");
 
   test(t => {
-    assert_equals(eval('1+1'), 2);
+    assert_equals(eval('1+1'), 15); // '1+1' + 4 becomes '1+14'.
   }, "eval of string works.");
 
   test(t => {

testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html

@@ -10,9 +10,9 @@
   // (rather than as "<meta http-equiv" tags). This test assumes the following
   // headers are set in the .headers file:
   //
-  //   Content-Security-Policy: trusted-types *
   //   Content-Security-Policy: script-src 'unsafe-inline'; report-uri ...
   //   Content-Security-Policy: plugin-types bla/blubb
+  //   Content-Security-Policy: require-trusted-types-for 'script'
   //
   // The last rule is there so we can provoke a CSP violation report at will.
   // The intent is that in order to test that a violation has *not* been thrown

testing/web-platform/tests/trusted-types/trusted-types-eval-reporting-no-unsafe-eval.tentative.https.html.headers

@@ -1,4 +1,3 @@
-Content-Security-Policy: trusted-types *
 Content-Security-Policy: script-src http: https: 'nonce-123' 'report-sample'
 Content-Security-Policy: plugin-types bla/blubb
 Content-Security-Policy: require-trusted-types-for 'script'

testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html

@@ -9,9 +9,9 @@
   // (rather than as "<meta http-equiv" tags). This test assumes the following
   // headers are set in the .headers file:
   //
-  //   Content-Security-Policy: trusted-types *
   //   Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'; report-uri ...
   //   Content-Security-Policy: plugin-types bla/blubb
+  //   Content-Security-Policy: require-trusted-types-for 'script'
   //
   // The last rule is there so we can provoke a CSP violation report at will.
   // The intent is that in order to test that a violation has *not* been thrown

testing/web-platform/tests/trusted-types/trusted-types-eval-reporting.tentative.https.html.headers

@@ -1,4 +1,3 @@
-Content-Security-Policy: trusted-types *
 Content-Security-Policy: script-src http: https: 'nonce-123' 'unsafe-eval'
 Content-Security-Policy: plugin-types bla/blubb
 Content-Security-Policy: require-trusted-types-for 'script'