| Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..1f6201ff52af7893efb337fbe8a0a6bb7298211a
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html
|
| @@ -0,0 +1,158 @@
|
| +<!DOCTYPE html>
|
| +<html>
|
| +<head>
|
| + <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdefg' 'unsafe-dynamic'">
|
| + <script src="/resources/testharness.js" nonce="abcdefg"></script>
|
| + <script src="/resources/testharnessreport.js" nonce="abcdefg"></script>
|
| +</head>
|
| +<body>
|
| + <script nonce="abcdefg">
|
| + function generateURL(type) {
|
| + return 'http://localhost:8000/security/contentSecurityPolicy/resources/loaded.js?' + type;
|
| + }
|
| +
|
| + var loaded = {};
|
| + var blocked = {};
|
| + window.addEventListener("message", function (e) {
|
| + loaded[e.data] = true;
|
| + });
|
| + document.addEventListener("securitypolicyviolation", function (e) {
|
| + blocked[e.lineNumber] = true;
|
| + });
|
| +
|
| + async_test(function (t) {
|
| + var e = document.createElement('script');
|
| + e.src = generateURL("append");
|
| + e.onload = t.step_func(function () {
|
| + // Delay the check until after the postMessage has a chance to execute.
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_true(loaded[generateURL("append")]);
|
| + }, 1));
|
| + });
|
| + e.onerror = t.unreached_func("Error should not be triggered.");
|
| + document.body.appendChild(e);
|
| + }, "Script injected via 'appendChild' is allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + var e = document.createElement('script');
|
| + e.src = generateURL("append-async");
|
| + e.async = true;
|
| + e.onload = t.step_func(function () {
|
| + // Delay the check until after the postMessage has a chance to execute.
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_true(loaded[generateURL("append-async")]);
|
| + }, 1));
|
| + });
|
| + e.onerror = t.unreached_func("Error should not be triggered.");
|
| + document.body.appendChild(e);
|
| + }, "Async script injected via 'appendChild' is allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + var e = document.createElement('script');
|
| + e.src = generateURL("append-defer");
|
| + e.defer = true;
|
| + e.onload = t.step_func(function () {
|
| + // Delay the check until after the postMessage has a chance to execute.
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_true(loaded[generateURL("append-defer")]);
|
| + }, 1));
|
| + });
|
| + e.onerror = t.unreached_func("Error should not be triggered.");
|
| + document.body.appendChild(e);
|
| + }, "Deferred script injected via 'appendChild' is allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_equals(loaded[generateURL("write")], undefined);
|
| + assert_true(blocked[65]);
|
| + }, 1));
|
| + }, "Script injected via 'document.write' is not allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + document.write("<scr" + "ipt defer src='" + generateURL("write-defer") + "'></scr" + "ipt>");
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_equals(loaded[generateURL("write-defer")], undefined);
|
| + assert_true(blocked[73]);
|
| + }, 1));
|
| + }, "Deferred script injected via 'document.write' is not allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + document.write("<scr" + "ipt async src='" + generateURL("write-async") + "'></scr" + "ipt>");
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_equals(loaded[generateURL("write-async")], undefined);
|
| + assert_true(blocked[81]);
|
| + }, 1));
|
| + }, "Async script injected via 'document.write' is not allowed with 'unsafe-dynamic'.");
|
| + </script>
|
| + <script nonce="abcdefg" defer>
|
| + async_test(function (t) {
|
| + var e = document.createElement('script');
|
| + e.src = generateURL("defer-append");
|
| + e.onload = t.step_func(function () {
|
| + // Delay the check until after the postMessage has a chance to execute.
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_true(loaded[generateURL("defer-append")]);
|
| + assert_equals(blocked[generateURL("defer-append")], undefined);
|
| + }, 1));
|
| + });
|
| + e.onerror = t.unreached_func("Error should not be triggered.");
|
| + document.body.appendChild(e);
|
| + }, "Script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + var e = document.createElement('script');
|
| + e.src = generateURL("defer-append-async");
|
| + e.async = true;
|
| + e.onload = t.step_func(function () {
|
| + // Delay the check until after the postMessage has a chance to execute.
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_true(loaded[generateURL("defer-append-async")]);
|
| + assert_equals(blocked[generateURL("defer-append-async")], undefined);
|
| + }, 1));
|
| + });
|
| + e.onerror = t.unreached_func("Error should not be triggered.");
|
| + document.body.appendChild(e);
|
| + }, "Async script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + var e = document.createElement('script');
|
| + e.src = generateURL("defer-append-defer");
|
| + e.defer = true;
|
| + e.onload = t.step_func(function () {
|
| + // Delay the check until after the postMessage has a chance to execute.
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_true(loaded[generateURL("defer-append-defer")]);
|
| + assert_equals(blocked[generateURL("defer-append-defer")], undefined);
|
| + }, 1));
|
| + });
|
| + e.onerror = t.unreached_func("Error should not be triggered.");
|
| + document.body.appendChild(e);
|
| + }, "Deferred script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_equals(loaded[generateURL("defer-write")], undefined);
|
| + assert_true(blocked[134]);
|
| + }, 1));
|
| + }, "Script injected via deferred 'document.write' is not allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + document.write("<scr" + "ipt defer src='" + generateURL("defer-write-defer") + "'></scr" + "ipt>");
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_equals(loaded[generateURL("write-defer")], undefined);
|
| + assert_true(blocked[142]);
|
| + }, 1));
|
| + }, "Deferred script injected via deferred 'document.write' is not allowed with 'unsafe-dynamic'.");
|
| +
|
| + async_test(function (t) {
|
| + document.write("<scr" + "ipt async src='" + generateURL("defer-write-async") + "'></scr" + "ipt>");
|
| + setTimeout(t.step_func_done(function () {
|
| + assert_equals(loaded[generateURL("defer-write-async")], undefined);
|
| + assert_true(blocked[150]);
|
| + }, 1));
|
| + }, "Async script injected via deferred 'document.write' is not allowed with 'unsafe-dynamic'.");
|
| + </script>
|
| +</body>
|
| +</html>
|
|
|
Chromium Code Reviews
Issue 1641533006:
CSP: Add an experimental 'unsafe-dynamic' source expression. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master