Haketilo

    A test case of sanitizing <script>s and intrinsic JavaScript in HTML pages.

    def click_all():

    def assert_properly_blocked():

        click_all()

    click_all()

# Test function analogous to that for HTML page.

@pytest.mark.ext_data({'content_script': content_script})

@pytest.mark.usefixtures('webextension')

@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}])

def test_policy_enforcing_xml(driver, execute_in_page, csp_off_setting):

    """

    A test case of sanitizing <script>s and intrinsic JavaScript in XML

    documents.

    """

    def click_all():

        for name in ('idaret', 'nowamak', 'mango', 'annoying'):

            elem = driver.find_element_by_id(f'{name}_circle')

            try:

                elem.click()

            except:

                pass

    def assert_properly_blocked():

        click_all()

        try:

            assert set(driver.execute_script('return window.__run || [];')) == set()

        except:

            from time import sleep

            sleep(100000)

        assert bool(csp_off_setting) == are_scripts_allowed(driver)

    # First, see if scripts run when not blocked.

    get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', {

        'policy': allow_policy,

        **csp_off_setting

    })

    click_all()

    assert set(driver.execute_script('return window.__run || [];')) == \

        {'grape', 'raspberry', 'idaret', 'melon'}

    assert are_scripts_allowed(driver)

    # Now, verify scripts don't run when blocked.

    get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', {

        'policy': block_policy,

        **csp_off_setting

    })

    assert_properly_blocked()

    # Now, verify only scripts with nonce can run when payload is injected.

    get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', {

        'policy': payload_policy,

        **csp_off_setting

    })

    assert_properly_blocked()

    assert are_scripts_allowed(driver, nonce)