From 99bbd86ddeeb8fd2b97d310f3f58bb5144fe0e40 Mon Sep 17 00:00:00 2001 From: cyfung1031 <44498510+cyfung1031@users.noreply.github.com> Date: Sun, 24 May 2026 05:46:42 +0900 Subject: [PATCH 1/3] fix(e2e): add missing sandbox test --- e2e/gm-api.spec.ts | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/e2e/gm-api.spec.ts b/e2e/gm-api.spec.ts index b6a023f44..1b8ab0571 100644 --- a/e2e/gm-api.spec.ts +++ b/e2e/gm-api.spec.ts @@ -196,4 +196,21 @@ test.describe("GM API", () => { expect(failed, "Some content inject tests failed").toBe(0); expect(passed, "No test results found - script may not have run").toBeGreaterThan(0); }); + + test("Sandbox Test (sandbox_test.js)", async ({ context, extensionId }) => { + const { passed, failed, logs } = await runTestScript( + context, + extensionId, + "sandbox_test.js", + `${TARGET_URL}?SANDBOX_TEST_SC`, + 8_000 + ); + + console.log(`[sandbox_test] passed=${passed}, failed=${failed}`); + if (failed !== 0) { + console.log("[sandbox_test] logs:", logs.join("\n")); + } + expect(failed, "Some tests failed").toBe(0); + expect(passed, "No test results found - script may not have run").toBeGreaterThan(0); + }); }); From c2f2a0a89acdc35c95695fc5846d059531aa9917 Mon Sep 17 00:00:00 2001 From: cyfung1031 <44498510+cyfung1031@users.noreply.github.com> Date: Sun, 24 May 2026 05:56:07 +0900 Subject: [PATCH 2/3] =?UTF-8?q?CSP=20=E4=B8=8D=E6=B5=8B=E8=AF=95=20eval?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- example/tests/sandbox_test.js | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/example/tests/sandbox_test.js b/example/tests/sandbox_test.js index da41b5be5..5ff2bcf51 100644 --- a/example/tests/sandbox_test.js +++ b/example/tests/sandbox_test.js @@ -893,13 +893,19 @@ () => {}, )); - await test("eval 保持可用,并在当前沙盒内解析全局", () => { - const key = `${markerPrefix}_eval`; - eval(`window["${key}"] = "from-eval";`); - assertSame("from-eval", window[key], "eval 应能写入沙盒 window"); - assertSame(undefined, unsafeWindow[key], "eval 写入不应穿透页面 window"); - delete window[key]; - }); + if (location.origin.includes("content-security-policy")) { + // CSP 不测试 eval + } else { + // eval 不一定能通过 + // 这跟沙盒无关。不应进行此测试 + await test("eval 保持可用,并在当前沙盒内解析全局", () => { + const key = `${markerPrefix}_eval`; + eval(`window["${key}"] = "from-eval";`); + assertSame("from-eval", window[key], "eval 应能写入沙盒 window"); + assertSame(undefined, unsafeWindow[key], "eval 写入不应穿透页面 window"); + delete window[key]; + }); + } console.log( "\n%c=== 测试完成 ===", From 28db1b05a6af021b77a05d082d09c68720078e04 Mon Sep 17 00:00:00 2001 From: cyfung1031 <44498510+cyfung1031@users.noreply.github.com> Date: Sun, 24 May 2026 06:08:36 +0900 Subject: [PATCH 3/3] update e2e --- example/tests/sandbox_test.js | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/example/tests/sandbox_test.js b/example/tests/sandbox_test.js index 5ff2bcf51..38930c2bf 100644 --- a/example/tests/sandbox_test.js +++ b/example/tests/sandbox_test.js @@ -22,6 +22,11 @@ // @run-at document-end // ==/UserScript== +var testVar1001 = 1001; +const mpt = document.body.appendChild(document.createElement("test-element-1002")); +mpt.id = "test-element-1002"; +mpt.name = "test-element-1002"; + (async function () { "use strict"; @@ -145,6 +150,16 @@ section("沙盒全局身份"); + await test("检测全局 testVar1001 会否跳出沙盒", () => { + assertSame(undefined, window["testVar1001"], "全局 testVar1001 不应跳出沙盒"); + assertSame(undefined, unsafeWindow["testVar1001"], "全局 testVar1001 不应跳出沙盒"); + }); + + await test("检测全局 test-element-1002", () => { + assertSame("test-element-1002", unsafeWindow["test-element-1002"]?.id, "全局 test-element-1002"); + assertSame(undefined, window["test-element-1002"]?.id, "半沙盒无法检测 test-element-1002"); + }); + await test("window/self/globalThis/top/parent/frames 均指向沙盒对象", () => { assertSame("object", typeof unsafeWindow, "unsafeWindow 应存在"); assertNotSame(