OLD | NEW |
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <html> | 2 <html> |
3 <head> | 3 <head> |
4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'unsafe-dynamic' http://localhost:8000"> | 4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'strict-dynamic' http://localhost:8000"> |
5 <script src="/resources/testharness.js" nonce="abcdefg"></script> | 5 <script src="/resources/testharness.js" nonce="abcdefg"></script> |
6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> | 6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> |
7 </head> | 7 </head> |
8 <body> | 8 <body> |
9 <script nonce="abcdefg"> | 9 <script nonce="abcdefg"> |
10 function generateURL(type) { | 10 function generateURL(type) { |
11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; | 11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; |
12 } | 12 } |
13 | 13 |
14 var loaded = {}; | 14 var loaded = {}; |
15 var blocked = {}; | 15 var blocked = {}; |
16 window.addEventListener("message", function (e) { | 16 window.addEventListener("message", function (e) { |
17 loaded[e.data] = true; | 17 loaded[e.data] = true; |
18 }); | 18 }); |
19 document.addEventListener("securitypolicyviolation", function (e) { | 19 document.addEventListener("securitypolicyviolation", function (e) { |
20 blocked[e.lineNumber] = true; | 20 blocked[e.lineNumber] = true; |
21 }); | 21 }); |
22 | 22 |
23 async_test(function (t) { | 23 async_test(function (t) { |
24 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); | 24 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); |
25 setTimeout(t.step_func_done(function () { | 25 setTimeout(t.step_func_done(function () { |
26 assert_equals(loaded[generateURL("write")], undefined); | 26 assert_equals(loaded[generateURL("write")], undefined); |
27 assert_true(blocked[24]); | 27 assert_true(blocked[24]); |
28 }, 1)); | 28 }, 1)); |
29 }, "Script injected via 'document.write' is not allowed with 'unsafe-dyn
amic', even if whitelisted."); | 29 }, "Script injected via 'document.write' is not allowed with 'strict-dyn
amic', even if whitelisted."); |
30 | 30 |
31 async_test(function (t) { | 31 async_test(function (t) { |
32 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); | 32 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); |
33 setTimeout(t.step_func_done(function () { | 33 setTimeout(t.step_func_done(function () { |
34 assert_equals(loaded[generateURL("write-defer")], undefined); | 34 assert_equals(loaded[generateURL("write-defer")], undefined); |
35 assert_true(blocked[32]); | 35 assert_true(blocked[32]); |
36 }, 1)); | 36 }, 1)); |
37 }, "Deferred script injected via 'document.write' is not allowed with 'u
nsafe-dynamic', even if whitelisted."); | 37 }, "Deferred script injected via 'document.write' is not allowed with 's
trict-dynamic', even if whitelisted."); |
38 | 38 |
39 async_test(function (t) { | 39 async_test(function (t) { |
40 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); | 40 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); |
41 setTimeout(t.step_func_done(function () { | 41 setTimeout(t.step_func_done(function () { |
42 assert_equals(loaded[generateURL("write-async")], undefined); | 42 assert_equals(loaded[generateURL("write-async")], undefined); |
43 assert_true(blocked[40]); | 43 assert_true(blocked[40]); |
44 }, 1)); | 44 }, 1)); |
45 }, "Async script injected via 'document.write' is not allowed with 'unsa
fe-dynamic', even if whitelisted."); | 45 }, "Async script injected via 'document.write' is not allowed with 'stri
ct-dynamic', even if whitelisted."); |
46 </script> | 46 </script> |
47 </body> | 47 </body> |
48 </html> | 48 </html> |
OLD | NEW |