summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/script-src
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/script-src')
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js1
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js3
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js18
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js21
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js8
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/inlineTests.js4
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html22
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html23
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html20
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html25
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html26
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers6
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html27
-rw-r--r--testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers6
24 files changed, 321 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
new file mode 100644
index 000000000..7b6e85210
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_1.js
@@ -0,0 +1 @@
+var dataScriptRan = false; \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
new file mode 100644
index 000000000..ba586810f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/10_1_support_2.js
@@ -0,0 +1,3 @@
+test(function () {
+ assert_true(dataScriptRan, "data script ran");
+ }, "Verify that data: as script src runs with this policy"); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
new file mode 100644
index 000000000..cd093ac94
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/addInlineTestsWithDOMManipulation.js
@@ -0,0 +1,18 @@
+(function () {
+
+ var dmTest = async_test("DOM manipulation inline tests");
+ var attachPoint = document.getElementById('attachHere');
+ var inlineScript = document.createElement('script');
+ var scriptText = document.createTextNode('dmTest.step(function() {assert_unreached("Unsafe inline script ran - createTextNode.")});');
+
+ inlineScript.appendChild(scriptText);
+ attachPoint.appendChild(inlineScript);
+
+ document.getElementById('emptyScript').innerHTML = 'dmTest.step(function() {assert_unreached("Unsafe inline script ran - innerHTML.")});';
+ document.getElementById('emptyDiv').outerHTML = '<script id=outerHTMLScript>dmTest.step(function() {assert_unreached("Unsafe inline script ran - outerHTML.")});</script>';
+
+ document.write('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.write")});</script>');
+ document.writeln('<script>dmTest.step(function() {assert_unreached("Unsafe inline script ran - document.writeln")});</script>');
+
+ dmTest.done();
+})(); \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
new file mode 100644
index 000000000..8cd092147
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/buildInlineWorker.js
@@ -0,0 +1,21 @@
+(function ()
+{
+ var workerSource = document.getElementById('inlineWorker');
+ var blob = new Blob([workerSource.textContent]);
+
+ // can I create a new script tag like this? ack...
+ var url = window.URL.createObjectURL(blob);
+
+ try {
+ var worker = new Worker(url);
+ }
+ catch (e) {
+ done();
+ }
+
+ worker.addEventListener('message', function(e) {
+ assert_unreached("script ran");
+ }, false);
+
+ worker.postMessage('');
+})();
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
new file mode 100644
index 000000000..ea2be272a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineSuccessTest.js
@@ -0,0 +1,8 @@
+var inlineRan = false;
+
+onload = function() {
+ test(function() {
+ assert_true(inlineRan, 'Unsafe inline script ran.')},
+ 'Inline script in a script tag should run with an unsafe-inline directive'
+ );
+} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
new file mode 100644
index 000000000..6e76b0a17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/inlineTests.js
@@ -0,0 +1,4 @@
+var t1 = async_test("Inline script block");
+var t2 = async_test("Inline event handler");
+
+onload = function() {t1.done(); t2.done()} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
new file mode 100644
index 000000000..c83f512bf
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='inlineTests.js'></script>
+</head>
+<body>
+ <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src 'self'.</h1>
+ <div id='log'></div>
+
+ <script>
+ t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+ </script>
+
+ <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
new file mode 100644
index 000000000..d91fe1c87
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
new file mode 100644
index 000000000..137a16421
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>data: as script src should not run with a policy that doesn't specify data: as an allowed source</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>data: as script src should not run with a policy that doesn't specify data: as an allowed source</h1>
+ <div id='log'></div>
+
+ <script>
+ var dataScriptRan = false;
+ </script>
+
+ <!-- This is our test case, but we don't expect it to actually execute if CSP is working. -->
+ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+ <script>
+ test(function () {
+ assert_false(dataScriptRan, "data script ran");
+ }, "Verify that data: as script src doesn't run with this policy");
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=default-src%20%27self%27+%27unsafe-inline%27'></script>
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
new file mode 100644
index 000000000..6c0c0fd0a
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_10={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
new file mode 100644
index 000000000..f1bfee200
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'</h1>
+ <div id='log'></div>
+
+ <script src="10_1_support_1.js"></script>
+
+ <script src="data:text/javascript;charset=utf-8;base64,ZGF0YVNjcmlwdFJhbiA9IHRydWU7"></script>
+
+ <script src="10_1_support_2.js"></script>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
new file mode 100644
index 000000000..dfb6f345f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_10_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_10_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' data:; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
new file mode 100644
index 000000000..a41310da9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html
@@ -0,0 +1,22 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline script should not run without 'unsafe-inline' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='inlineTests.js'></script>
+</head>
+<body>
+ <h1>Inline script should not run without 'unsafe-inline' script-src directive, even for script-src *.</h1>
+ <div id='log'></div>
+
+ <script>
+ t1.step(function() {assert_unreached('Unsafe inline script ran.');});
+ </script>
+
+ <img src='doesnotexist.jpg' onerror='t2.step(function() { assert_unreached("Unsafe inline event handler ran.") });'>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
new file mode 100644
index 000000000..4cf9c6950
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
new file mode 100644
index 000000000..255f5df9c
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html
@@ -0,0 +1,23 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src *</h1>
+ <div id="log"></div>
+
+ <div id=attachHere></div>
+
+ <script id=emptyScript></script>
+
+ <div id=emptyDiv></div>
+
+ <script src="addInlineTestsWithDOMManipulation.js"></script>
+
+ <script async defer src="../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20*"></script>
+
+</body>
+</html> \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
new file mode 100644
index 000000000..9c58f0efc
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_2_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_2_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src *; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
new file mode 100644
index 000000000..30e6f6870
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+ <script src='inlineSuccessTest.js'></script>
+</head>
+<body>
+ <h1>Positive test case: Inline script should run 'unsafe-inline' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+ inlineRan = true;
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportExists=false'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
new file mode 100644
index 000000000..8227c6272
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_3.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_3={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
new file mode 100644
index 000000000..5293183d3
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>eval() should not run without 'unsafe-eval' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>eval() should not run without 'unsafe-eval' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+
+ var evalRan = false;
+
+ test(function() {assert_throws(new EvalError(), function() { eval('evalRan = true;') })}, "eval() should throw without 'unsafe-eval' keyword source in script-src directive.");
+
+ test(function() {assert_false(evalRan);})
+
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
new file mode 100644
index 000000000..28ad14b60
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
new file mode 100644
index 000000000..31664a169
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+ var t1 = async_test("window.setTimeout()");
+ var t2 = async_test("window.setInterval()");
+
+ onload = function() {t1.done(); t2.done()}
+
+ window.setTimeout('t1.step(function() {assert_unreached("window.setTimeout() ran without unsafe-eval.")})',0);
+ window.setInterval('t2.step(function() {assert_unreached("window.setInterval() ran without unsafe-eval.")})',0);
+
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-eval%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
new file mode 100644
index 000000000..6bd48d1de
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_1.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_1={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
new file mode 100644
index 000000000..31382936f
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html
@@ -0,0 +1,27 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+ <title>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</title>
+ <script src='/resources/testharness.js'></script>
+ <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+ <h1>Function() called as a constructor should throw without 'unsafe-eval' script-src directive.</h1>
+ <div id='log'></div>
+
+ <script>
+
+ test(function() {
+ assert_throws(
+ new EvalError(),
+ function() {
+ var funq = new Function('');
+ funq();
+ })}, "Unsafe eval ran in Function() constructor.");
+
+ </script>
+
+ <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=script-src%20%27self%27+%27unsafe-inline%27'></script>
+
+</body>
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
new file mode 100644
index 000000000..314849bb9
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-1_4_2.html.sub.headers
@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: script-src-1_4_2={{$id:uuid()}}; Path=/content-security-policy/script-src/
+Content-Security-Policy: script-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}} \ No newline at end of file