OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE html> |
| 2 <html> |
| 3 <head> |
| 4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'unsafe-dynamic' http://localhost:8000"> |
| 5 <script src="/resources/testharness.js" nonce="abcdefg"></script> |
| 6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> |
| 7 </head> |
| 8 <body> |
| 9 <script nonce="abcdefg"> |
| 10 function generateURL(type) { |
| 11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; |
| 12 } |
| 13 |
| 14 var loaded = {}; |
| 15 var blocked = {}; |
| 16 window.addEventListener("message", function (e) { |
| 17 loaded[e.data] = true; |
| 18 }); |
| 19 document.addEventListener("securitypolicyviolation", function (e) { |
| 20 blocked[e.lineNumber] = true; |
| 21 }); |
| 22 |
| 23 async_test(function (t) { |
| 24 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); |
| 25 setTimeout(t.step_func_done(function () { |
| 26 assert_equals(loaded[generateURL("write")], undefined); |
| 27 assert_true(blocked[24]); |
| 28 }, 1)); |
| 29 }, "Script injected via 'document.write' is not allowed with 'unsafe-dyn
amic', even if whitelisted."); |
| 30 |
| 31 async_test(function (t) { |
| 32 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); |
| 33 setTimeout(t.step_func_done(function () { |
| 34 assert_equals(loaded[generateURL("write-defer")], undefined); |
| 35 assert_true(blocked[32]); |
| 36 }, 1)); |
| 37 }, "Deferred script injected via 'document.write' is not allowed with 'u
nsafe-dynamic', even if whitelisted."); |
| 38 |
| 39 async_test(function (t) { |
| 40 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); |
| 41 setTimeout(t.step_func_done(function () { |
| 42 assert_equals(loaded[generateURL("write-async")], undefined); |
| 43 assert_true(blocked[40]); |
| 44 }, 1)); |
| 45 }, "Async script injected via 'document.write' is not allowed with 'unsa
fe-dynamic', even if whitelisted."); |
| 46 </script> |
| 47 </body> |
| 48 </html> |
OLD | NEW |