OLD | NEW |
---|---|
(Empty) | |
1 <!DOCTYPE html> | |
2 <html> | |
3 <head> | |
4 <title>script-src disallowed wildcard use</title> | |
5 <script src="../../../resources/testharness.js"></script> | |
6 <script src="../../../resources/testharnessreport.js"></script> | |
7 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *"> | |
8 </head> | |
9 <body> | |
10 <script nonce="nonce"> | |
11 var t1 = async_test('data: URIs should not match *'); | |
12 t1.step(function() { | |
13 var script = document.createElement("script"); | |
14 script.src = 'data:application/javascript,'; | |
15 script.addEventListener('load', t1.step_func(function() { | |
16 assert_unreached('Should not successfully load data URI.'); | |
17 })); | |
18 script.addEventListener('error', t1.step_func(function() { | |
19 t1.done(); | |
20 })); | |
21 document.head.appendChild(script); | |
22 }); | |
23 | |
24 var t2 = async_test('blob: URIs should not match *'); | |
25 t2.step(function() { | |
26 var b = new Blob([''], { type: 'application/javascript' }); | |
27 var script = document.createElement('script'); | |
28 script.addEventListener('load', t2.step_func(function() { | |
29 assert_unreached('Should not successfully load blob URI.'); | |
30 })); | |
31 script.addEventListener('error', t2.step_func(function() { | |
32 t2.done(); | |
33 })); | |
34 | |
35 script.src = URL.createObjectURL(b); | |
36 document.head.appendChild(script); | |
37 }); | |
38 | |
39 var t3 = async_test('filesystem URIs should not match *'); | |
40 window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs ) { | |
Mike West
2015/09/25 13:53:41
Nit: Wrap this in an `if (window.webkitRequestFile
jww
2015/09/25 15:32:15
Done.
| |
41 fs.root.getFile('fail.js', {create: true}, function(fileEntry) { | |
42 fileEntry.createWriter(function(fileWriter) { | |
43 var script = document.createElement('script'); | |
44 | |
45 script.addEventListener('load', t3.step_func(function() { | |
46 assert_unreached('Should not successfully load filesyste m URI.'); | |
47 })); | |
48 script.addEventListener('error', t3.step_func(function() { | |
49 t3.done(); | |
50 })); | |
51 | |
52 script.src = fileEntry.toURL('application/javascript'); | |
53 document.body.appendChild(script); | |
54 }); | |
55 }); | |
56 }); | |
57 </script> | |
58 </body> | |
59 </html> | |
OLD | NEW |