Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html |
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html |
new file mode 100644 |
index 0000000000000000000000000000000000000000..1f6201ff52af7893efb337fbe8a0a6bb7298211a |
--- /dev/null |
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-unsafe-dynamic.html |
@@ -0,0 +1,158 @@ |
+<!DOCTYPE html> |
+<html> |
+<head> |
+ <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdefg' 'unsafe-dynamic'"> |
+ <script src="/resources/testharness.js" nonce="abcdefg"></script> |
+ <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> |
+</head> |
+<body> |
+ <script nonce="abcdefg"> |
+ function generateURL(type) { |
+ return 'http://localhost:8000/security/contentSecurityPolicy/resources/loaded.js?' + type; |
+ } |
+ |
+ var loaded = {}; |
+ var blocked = {}; |
+ window.addEventListener("message", function (e) { |
+ loaded[e.data] = true; |
+ }); |
+ document.addEventListener("securitypolicyviolation", function (e) { |
+ blocked[e.lineNumber] = true; |
+ }); |
+ |
+ async_test(function (t) { |
+ var e = document.createElement('script'); |
+ e.src = generateURL("append"); |
+ e.onload = t.step_func(function () { |
+ // Delay the check until after the postMessage has a chance to execute. |
+ setTimeout(t.step_func_done(function () { |
+ assert_true(loaded[generateURL("append")]); |
+ }, 1)); |
+ }); |
+ e.onerror = t.unreached_func("Error should not be triggered."); |
+ document.body.appendChild(e); |
+ }, "Script injected via 'appendChild' is allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ var e = document.createElement('script'); |
+ e.src = generateURL("append-async"); |
+ e.async = true; |
+ e.onload = t.step_func(function () { |
+ // Delay the check until after the postMessage has a chance to execute. |
+ setTimeout(t.step_func_done(function () { |
+ assert_true(loaded[generateURL("append-async")]); |
+ }, 1)); |
+ }); |
+ e.onerror = t.unreached_func("Error should not be triggered."); |
+ document.body.appendChild(e); |
+ }, "Async script injected via 'appendChild' is allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ var e = document.createElement('script'); |
+ e.src = generateURL("append-defer"); |
+ e.defer = true; |
+ e.onload = t.step_func(function () { |
+ // Delay the check until after the postMessage has a chance to execute. |
+ setTimeout(t.step_func_done(function () { |
+ assert_true(loaded[generateURL("append-defer")]); |
+ }, 1)); |
+ }); |
+ e.onerror = t.unreached_func("Error should not be triggered."); |
+ document.body.appendChild(e); |
+ }, "Deferred script injected via 'appendChild' is allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>"); |
+ setTimeout(t.step_func_done(function () { |
+ assert_equals(loaded[generateURL("write")], undefined); |
+ assert_true(blocked[65]); |
+ }, 1)); |
+ }, "Script injected via 'document.write' is not allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ document.write("<scr" + "ipt defer src='" + generateURL("write-defer") + "'></scr" + "ipt>"); |
+ setTimeout(t.step_func_done(function () { |
+ assert_equals(loaded[generateURL("write-defer")], undefined); |
+ assert_true(blocked[73]); |
+ }, 1)); |
+ }, "Deferred script injected via 'document.write' is not allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ document.write("<scr" + "ipt async src='" + generateURL("write-async") + "'></scr" + "ipt>"); |
+ setTimeout(t.step_func_done(function () { |
+ assert_equals(loaded[generateURL("write-async")], undefined); |
+ assert_true(blocked[81]); |
+ }, 1)); |
+ }, "Async script injected via 'document.write' is not allowed with 'unsafe-dynamic'."); |
+ </script> |
+ <script nonce="abcdefg" defer> |
+ async_test(function (t) { |
+ var e = document.createElement('script'); |
+ e.src = generateURL("defer-append"); |
+ e.onload = t.step_func(function () { |
+ // Delay the check until after the postMessage has a chance to execute. |
+ setTimeout(t.step_func_done(function () { |
+ assert_true(loaded[generateURL("defer-append")]); |
+ assert_equals(blocked[generateURL("defer-append")], undefined); |
+ }, 1)); |
+ }); |
+ e.onerror = t.unreached_func("Error should not be triggered."); |
+ document.body.appendChild(e); |
+ }, "Script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ var e = document.createElement('script'); |
+ e.src = generateURL("defer-append-async"); |
+ e.async = true; |
+ e.onload = t.step_func(function () { |
+ // Delay the check until after the postMessage has a chance to execute. |
+ setTimeout(t.step_func_done(function () { |
+ assert_true(loaded[generateURL("defer-append-async")]); |
+ assert_equals(blocked[generateURL("defer-append-async")], undefined); |
+ }, 1)); |
+ }); |
+ e.onerror = t.unreached_func("Error should not be triggered."); |
+ document.body.appendChild(e); |
+ }, "Async script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ var e = document.createElement('script'); |
+ e.src = generateURL("defer-append-defer"); |
+ e.defer = true; |
+ e.onload = t.step_func(function () { |
+ // Delay the check until after the postMessage has a chance to execute. |
+ setTimeout(t.step_func_done(function () { |
+ assert_true(loaded[generateURL("defer-append-defer")]); |
+ assert_equals(blocked[generateURL("defer-append-defer")], undefined); |
+ }, 1)); |
+ }); |
+ e.onerror = t.unreached_func("Error should not be triggered."); |
+ document.body.appendChild(e); |
+ }, "Deferred script injected via deferred 'appendChild' is allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>"); |
+ setTimeout(t.step_func_done(function () { |
+ assert_equals(loaded[generateURL("defer-write")], undefined); |
+ assert_true(blocked[134]); |
+ }, 1)); |
+ }, "Script injected via deferred 'document.write' is not allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ document.write("<scr" + "ipt defer src='" + generateURL("defer-write-defer") + "'></scr" + "ipt>"); |
+ setTimeout(t.step_func_done(function () { |
+ assert_equals(loaded[generateURL("write-defer")], undefined); |
+ assert_true(blocked[142]); |
+ }, 1)); |
+ }, "Deferred script injected via deferred 'document.write' is not allowed with 'unsafe-dynamic'."); |
+ |
+ async_test(function (t) { |
+ document.write("<scr" + "ipt async src='" + generateURL("defer-write-async") + "'></scr" + "ipt>"); |
+ setTimeout(t.step_func_done(function () { |
+ assert_equals(loaded[generateURL("defer-write-async")], undefined); |
+ assert_true(blocked[150]); |
+ }, 1)); |
+ }, "Async script injected via deferred 'document.write' is not allowed with 'unsafe-dynamic'."); |
+ </script> |
+</body> |
+</html> |