OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'unsafe-dynamic'"> |
| 5 <script src="/resources/testharness.js" nonce="abcdefg"></script> |
| 6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> |
| 7 </head> |
| 8 <body> |
| 9 <script nonce="abcdefg"> |
| 10 function generateURL(type) { |
| 11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; |
| 12 } |
| 13 |
| 14 var loaded = {}; |
| 15 var blocked = {}; |
| 16 window.addEventListener("message", function (e) { |
| 17 loaded[e.data] = true; |
| 18 }); |
| 19 document.addEventListener("securitypolicyviolation", function (e) { |
| 20 blocked[e.lineNumber] = true; |
| 21 }); |
| 22 |
| 23 async_test(function (t) { |
| 24 var e = document.createElement('script'); |
| 25 e.src = generateURL("append"); |
| 26 e.onload = t.step_func(function () { |
| 27 // Delay the check until after the postMessage has a chance to exe
cute. |
| 28 setTimeout(t.step_func_done(function () { |
| 29 assert_true(loaded[generateURL("append")]); |
| 30 }, 1)); |
| 31 }); |
| 32 e.onerror = t.unreached_func("Error should not be triggered."); |
| 33 document.body.appendChild(e); |
| 34 }, "Script injected via 'appendChild' is allowed with 'unsafe-dynamic'."
); |
| 35 |
| 36 async_test(function (t) { |
| 37 var e = document.createElement('script'); |
| 38 e.src = generateURL("append-async"); |
| 39 e.async = true; |
| 40 e.onload = t.step_func(function () { |
| 41 // Delay the check until after the postMessage has a chance to exe
cute. |
| 42 setTimeout(t.step_func_done(function () { |
| 43 assert_true(loaded[generateURL("append-async")]); |
| 44 }, 1)); |
| 45 }); |
| 46 e.onerror = t.unreached_func("Error should not be triggered."); |
| 47 document.body.appendChild(e); |
| 48 }, "Async script injected via 'appendChild' is allowed with 'unsafe-dyna
mic'."); |
| 49 |
| 50 async_test(function (t) { |
| 51 var e = document.createElement('script'); |
| 52 e.src = generateURL("append-defer"); |
| 53 e.defer = true; |
| 54 e.onload = t.step_func(function () { |
| 55 // Delay the check until after the postMessage has a chance to exe
cute. |
| 56 setTimeout(t.step_func_done(function () { |
| 57 assert_true(loaded[generateURL("append-defer")]); |
| 58 }, 1)); |
| 59 }); |
| 60 e.onerror = t.unreached_func("Error should not be triggered."); |
| 61 document.body.appendChild(e); |
| 62 }, "Deferred script injected via 'appendChild' is allowed with 'unsafe-d
ynamic'."); |
| 63 |
| 64 async_test(function (t) { |
| 65 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); |
| 66 setTimeout(t.step_func_done(function () { |
| 67 assert_equals(loaded[generateURL("write")], undefined); |
| 68 assert_true(blocked[65]); |
| 69 }, 1)); |
| 70 }, "Script injected via 'document.write' is not allowed with 'unsafe-dyn
amic'."); |
| 71 |
| 72 async_test(function (t) { |
| 73 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); |
| 74 setTimeout(t.step_func_done(function () { |
| 75 assert_equals(loaded[generateURL("write-defer")], undefined); |
| 76 assert_true(blocked[73]); |
| 77 }, 1)); |
| 78 }, "Deferred script injected via 'document.write' is not allowed with 'u
nsafe-dynamic'."); |
| 79 |
| 80 async_test(function (t) { |
| 81 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); |
| 82 setTimeout(t.step_func_done(function () { |
| 83 assert_equals(loaded[generateURL("write-async")], undefined); |
| 84 assert_true(blocked[81]); |
| 85 }, 1)); |
| 86 }, "Async script injected via 'document.write' is not allowed with 'unsa
fe-dynamic'."); |
| 87 </script> |
| 88 <script nonce="abcdefg" defer> |
| 89 async_test(function (t) { |
| 90 var e = document.createElement('script'); |
| 91 e.src = generateURL("defer-append"); |
| 92 e.onload = t.step_func(function () { |
| 93 // Delay the check until after the postMessage has a chance to exe
cute. |
| 94 setTimeout(t.step_func_done(function () { |
| 95 assert_true(loaded[generateURL("defer-append")]); |
| 96 assert_equals(blocked[generateURL("defer-append")], undefined); |
| 97 }, 1)); |
| 98 }); |
| 99 e.onerror = t.unreached_func("Error should not be triggered."); |
| 100 document.body.appendChild(e); |
| 101 }, "Script injected via deferred 'appendChild' is allowed with 'unsafe-d
ynamic'."); |
| 102 |
| 103 async_test(function (t) { |
| 104 var e = document.createElement('script'); |
| 105 e.src = generateURL("defer-append-async"); |
| 106 e.async = true; |
| 107 e.onload = t.step_func(function () { |
| 108 // Delay the check until after the postMessage has a chance to exe
cute. |
| 109 setTimeout(t.step_func_done(function () { |
| 110 assert_true(loaded[generateURL("defer-append-async")]); |
| 111 assert_equals(blocked[generateURL("defer-append-async")], undefi
ned); |
| 112 }, 1)); |
| 113 }); |
| 114 e.onerror = t.unreached_func("Error should not be triggered."); |
| 115 document.body.appendChild(e); |
| 116 }, "Async script injected via deferred 'appendChild' is allowed with 'un
safe-dynamic'."); |
| 117 |
| 118 async_test(function (t) { |
| 119 var e = document.createElement('script'); |
| 120 e.src = generateURL("defer-append-defer"); |
| 121 e.defer = true; |
| 122 e.onload = t.step_func(function () { |
| 123 // Delay the check until after the postMessage has a chance to exe
cute. |
| 124 setTimeout(t.step_func_done(function () { |
| 125 assert_true(loaded[generateURL("defer-append-defer")]); |
| 126 assert_equals(blocked[generateURL("defer-append-defer")], undefi
ned); |
| 127 }, 1)); |
| 128 }); |
| 129 e.onerror = t.unreached_func("Error should not be triggered."); |
| 130 document.body.appendChild(e); |
| 131 }, "Deferred script injected via deferred 'appendChild' is allowed with
'unsafe-dynamic'."); |
| 132 |
| 133 async_test(function (t) { |
| 134 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); |
| 135 setTimeout(t.step_func_done(function () { |
| 136 assert_equals(loaded[generateURL("defer-write")], undefined); |
| 137 assert_true(blocked[134]); |
| 138 }, 1)); |
| 139 }, "Script injected via deferred 'document.write' is not allowed with 'u
nsafe-dynamic'."); |
| 140 |
| 141 async_test(function (t) { |
| 142 document.write("<scr" + "ipt defer src='" + generateURL("defer-write-d
efer") + "'></scr" + "ipt>"); |
| 143 setTimeout(t.step_func_done(function () { |
| 144 assert_equals(loaded[generateURL("write-defer")], undefined); |
| 145 assert_true(blocked[142]); |
| 146 }, 1)); |
| 147 }, "Deferred script injected via deferred 'document.write' is not allowe
d with 'unsafe-dynamic'."); |
| 148 |
| 149 async_test(function (t) { |
| 150 document.write("<scr" + "ipt async src='" + generateURL("defer-write-a
sync") + "'></scr" + "ipt>"); |
| 151 setTimeout(t.step_func_done(function () { |
| 152 assert_equals(loaded[generateURL("defer-write-async")], undefined); |
| 153 assert_true(blocked[150]); |
| 154 }, 1)); |
| 155 }, "Async script injected via deferred 'document.write' is not allowed w
ith 'unsafe-dynamic'."); |
| 156 </script> |
| 157 </body> |
| 158 </html> |
OLD | NEW |