DXR will be turned off on Tuesday, December 29th. It will redirect to Searchfox.
See the announcement on Discourse.

DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (c68fe15a81fc)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113
<!DOCTYPE html>
<head>
  <script nonce="123" src="/resources/testharness.js"></script>
  <script nonce="123"src="/resources/testharnessreport.js"></script>
  <script nonce="123"src="/content-security-policy/support/testharness-helper.js"></script>
</head>
<body>
  <script nonce="123">
  // CSP insists the "trusted-types: ..." directives are deliverd as headers
  // (rather than as "<meta http-equiv" tags). This test assumes the following
  // headers are set in the .headers file:
  //
  //   Content-Security-Policy: script-src 'unsafe-inline'; report-uri ...
  //   Content-Security-Policy: plugin-types bla/blubb
  //   Content-Security-Policy: require-trusted-types-for 'script'
  //
  // The last rule is there so we can provoke a CSP violation report at will.
  // The intent is that in order to test that a violation has *not* been thrown
  // (and without resorting to abominations like timeouts), we force a *another*
  // CSP violation (by violating the img-src rule) and when that event is
  // processed we can we sure that an earlier event - if it indeed occurred -
  // must have already been processed.

  // Return function that returns a promise that resolves on the given
  // violation report.
  // how_many - how many violation events are expected.
  // filter_arg - iff function, call it with the event object.
  //              Else, string-ify and compare against event.originalPolicy.
  function promise_violation(filter_arg) {
    return _ => new Promise((resolve, reject) => {
      function handler(e) {
        let matches = (filter_arg instanceof Function)
            ? filter_arg(e)
            : (e.originalPolicy.includes(filter_arg));
        if (matches) {
          document.removeEventListener("securitypolicyviolation", handler);
          e.stopPropagation();
          resolve(e);
        }
      }
      document.addEventListener("securitypolicyviolation", handler);
    });
  }

  // Like assert_throws_*, but we don't care about the exact error. We just want
  // to run the code and continue.
  function expect_throws(fn) {
    try { fn(); assert_unreached(); } catch (err) { /* ignore */ }
  }

  // A sample policy we use to test trustedTypes.createPolicy behaviour.
  const id = x => x;
  const a_policy = {
    createHTML: id,
    createScriptURL: id,
    createURL: id,
    createScript: id,
  };

  const scriptyPolicy = trustedTypes.createPolicy('allowEval', a_policy);

  // Provoke/wait for a CSP violation, in order to be sure that all previous
  // CSP violations have been delivered.
  function promise_flush() {
    return promise_violation("plugin-types bla/blubb");
  }
  function flush() {
   expect_throws(_ => {
      var o = document.createElement('object');
      o.type = "application/x-shockwave-flash";
      document.body.appendChild(o);
    });
  }

  window.script_run_beacon = 'never_overwritten';

  promise_test(t => {
    let p = Promise.resolve()
        .then(promise_violation("require-trusted-types-for 'script'"))
        .then(promise_flush());
    expect_throws(_ => eval('script_run_beacon="should not run"'));
    assert_equals(script_run_beacon, 'never_overwritten');
    flush();
    return p;
  }, "Trusted Type violation report: evaluating a string violates both script-src and trusted-types.");

  promise_test(t => {
    let p = Promise.resolve()
        .then(promise_violation("script-src"))
        .then(promise_flush());
    expect_throws(_ => eval(scriptyPolicy.createScript('script_run_beacon="i ran"')));
    flush();
    assert_not_equals(script_run_beacon, 'i ran'); // Code did not run.
    return p;
  }, "Trusted Type violation report: evaluating a Trusted Script violates script-src.");

  promise_test(t => {
    trustedTypes.createPolicy('default', {
      createScript: s => s.replace('payload', 'default policy'),
    }, true);
    let p = Promise.resolve()
        .then(promise_violation((e) =>
           e.effectiveDirective.includes('script-src') &&
           e.sample.includes("default policy")))
        .then(promise_flush());
    expect_throws(_ => eval('script_run_beacon="payload"')); // script-src will block.
    assert_not_equals(script_run_beacon, 'default policy'); // Code did not run.
    flush();
    return p;
  }, "Trusted Type violation report: script-src restrictions apply after the default policy runs.");

  </script>
</body>