Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(814)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html

Issue 1641533006: CSP: Add an experimental 'unsafe-dynamic' source expression. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Experiment. Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/loaded.js ('k') | third_party/WebKit/Source/core/dom/ScriptLoader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef g' 'unsafe-dynamic'">
5 <script src="/resources/testharness.js" nonce="abcdefg"></script>
6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script>
7 </head>
8 <body>
9 <script nonce="abcdefg">
10 function generateURL(type) {
11 return 'http://localhost:8000/security/contentSecurityPolicy/resources /loaded.js?' + type;
12 }
13
14 var loaded = {};
15 var blocked = {};
16 window.addEventListener("message", function (e) {
17 loaded[e.data] = true;
18 });
19 document.addEventListener("securitypolicyviolation", function (e) {
20 blocked[e.lineNumber] = true;
21 });
22
23 async_test(function (t) {
24 var e = document.createElement('script');
25 e.src = generateURL("append");
26 e.onload = t.step_func(function () {
27 // Delay the check until after the postMessage has a chance to exe cute.
28 setTimeout(t.step_func_done(function () {
29 assert_true(loaded[generateURL("append")]);
30 }, 1));
31 });
32 e.onerror = t.unreached_func("Error should not be triggered.");
33 document.body.appendChild(e);
34 }, "Script injected via 'appendChild' is allowed with 'unsafe-dynamic'." );
35
36 async_test(function (t) {
37 var e = document.createElement('script');
38 e.src = generateURL("append-async");
39 e.async = true;
40 e.onload = t.step_func(function () {
41 // Delay the check until after the postMessage has a chance to exe cute.
42 setTimeout(t.step_func_done(function () {
43 assert_true(loaded[generateURL("append-async")]);
44 }, 1));
45 });
46 e.onerror = t.unreached_func("Error should not be triggered.");
47 document.body.appendChild(e);
48 }, "Async script injected via 'appendChild' is allowed with 'unsafe-dyna mic'.");
49
50 async_test(function (t) {
51 var e = document.createElement('script');
52 e.src = generateURL("append-defer");
53 e.defer = true;
54 e.onload = t.step_func(function () {
55 // Delay the check until after the postMessage has a chance to exe cute.
56 setTimeout(t.step_func_done(function () {
57 assert_true(loaded[generateURL("append-defer")]);
58 }, 1));
59 });
60 e.onerror = t.unreached_func("Error should not be triggered.");
61 document.body.appendChild(e);
62 }, "Deferred script injected via 'appendChild' is allowed with 'unsafe-d ynamic'.");
63
64 async_test(function (t) {
65 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");
66 setTimeout(t.step_func_done(function () {
67 assert_equals(loaded[generateURL("write")], undefined);
68 assert_true(blocked[65]);
69 }, 1));
70 }, "Script injected via 'document.write' is not allowed with 'unsafe-dyn amic'.");
71
72 async_test(function (t) {
73 document.write("<scr" + "ipt defer src='" + generateURL("write-defer") + "'></scr" + "ipt>");
74 setTimeout(t.step_func_done(function () {
75 assert_equals(loaded[generateURL("write-defer")], undefined);
76 assert_true(blocked[73]);
77 }, 1));
78 }, "Deferred script injected via 'document.write' is not allowed with 'u nsafe-dynamic'.");
79
80 async_test(function (t) {
81 document.write("<scr" + "ipt async src='" + generateURL("write-async") + "'></scr" + "ipt>");
82 setTimeout(t.step_func_done(function () {
83 assert_equals(loaded[generateURL("write-async")], undefined);
84 assert_true(blocked[81]);
85 }, 1));
86 }, "Async script injected via 'document.write' is not allowed with 'unsa fe-dynamic'.");
87 </script>
88 <script nonce="abcdefg" defer>
89 async_test(function (t) {
90 var e = document.createElement('script');
91 e.src = generateURL("defer-append");
92 e.onload = t.step_func(function () {
93 // Delay the check until after the postMessage has a chance to exe cute.
94 setTimeout(t.step_func_done(function () {
95 assert_true(loaded[generateURL("defer-append")]);
96 assert_equals(blocked[generateURL("defer-append")], undefined);
97 }, 1));
98 });
99 e.onerror = t.unreached_func("Error should not be triggered.");
100 document.body.appendChild(e);
101 }, "Script injected via deferred 'appendChild' is allowed with 'unsafe-d ynamic'.");
102
103 async_test(function (t) {
104 var e = document.createElement('script');
105 e.src = generateURL("defer-append-async");
106 e.async = true;
107 e.onload = t.step_func(function () {
108 // Delay the check until after the postMessage has a chance to exe cute.
109 setTimeout(t.step_func_done(function () {
110 assert_true(loaded[generateURL("defer-append-async")]);
111 assert_equals(blocked[generateURL("defer-append-async")], undefi ned);
112 }, 1));
113 });
114 e.onerror = t.unreached_func("Error should not be triggered.");
115 document.body.appendChild(e);
116 }, "Async script injected via deferred 'appendChild' is allowed with 'un safe-dynamic'.");
117
118 async_test(function (t) {
119 var e = document.createElement('script');
120 e.src = generateURL("defer-append-defer");
121 e.defer = true;
122 e.onload = t.step_func(function () {
123 // Delay the check until after the postMessage has a chance to exe cute.
124 setTimeout(t.step_func_done(function () {
125 assert_true(loaded[generateURL("defer-append-defer")]);
126 assert_equals(blocked[generateURL("defer-append-defer")], undefi ned);
127 }, 1));
128 });
129 e.onerror = t.unreached_func("Error should not be triggered.");
130 document.body.appendChild(e);
131 }, "Deferred script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'.");
132
133 async_test(function (t) {
134 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");
135 setTimeout(t.step_func_done(function () {
136 assert_equals(loaded[generateURL("defer-write")], undefined);
137 assert_true(blocked[134]);
138 }, 1));
139 }, "Script injected via deferred 'document.write' is not allowed with 'u nsafe-dynamic'.");
140
141 async_test(function (t) {
142 document.write("<scr" + "ipt defer src='" + generateURL("defer-write-d efer") + "'></scr" + "ipt>");
143 setTimeout(t.step_func_done(function () {
144 assert_equals(loaded[generateURL("write-defer")], undefined);
145 assert_true(blocked[142]);
146 }, 1));
147 }, "Deferred script injected via deferred 'document.write' is not allowe d with 'unsafe-dynamic'.");
148
149 async_test(function (t) {
150 document.write("<scr" + "ipt async src='" + generateURL("defer-write-a sync") + "'></scr" + "ipt>");
151 setTimeout(t.step_func_done(function () {
152 assert_equals(loaded[generateURL("defer-write-async")], undefined);
153 assert_true(blocked[150]);
154 }, 1));
155 }, "Async script injected via deferred 'document.write' is not allowed w ith 'unsafe-dynamic'.");
156 </script>
157 </body>
158 </html>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/loaded.js ('k') | third_party/WebKit/Source/core/dom/ScriptLoader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698