OLD | NEW |
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <html> | 2 <html> |
3 <head> | 3 <head> |
4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'unsafe-dynamic'"> | 4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'strict-dynamic'"> |
5 <script src="/resources/testharness.js" nonce="abcdefg"></script> | 5 <script src="/resources/testharness.js" nonce="abcdefg"></script> |
6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> | 6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> |
7 </head> | 7 </head> |
8 <body> | 8 <body> |
9 <script nonce="abcdefg"> | 9 <script nonce="abcdefg"> |
10 function generateURL(type) { | 10 function generateURL(type) { |
11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; | 11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; |
12 } | 12 } |
13 | 13 |
14 var loaded = {}; | 14 var loaded = {}; |
15 var blocked = {}; | 15 var blocked = {}; |
16 window.addEventListener("message", function (e) { | 16 window.addEventListener("message", function (e) { |
17 loaded[e.data] = true; | 17 loaded[e.data] = true; |
18 }); | 18 }); |
19 document.addEventListener("securitypolicyviolation", function (e) { | 19 document.addEventListener("securitypolicyviolation", function (e) { |
20 blocked[e.lineNumber] = true; | 20 blocked[e.lineNumber] = true; |
21 }); | 21 }); |
22 | 22 |
23 async_test(function (t) { | 23 async_test(function (t) { |
24 var e = document.createElement('script'); | 24 var e = document.createElement('script'); |
25 e.src = generateURL("append"); | 25 e.src = generateURL("append"); |
26 e.onload = t.step_func(function () { | 26 e.onload = t.step_func(function () { |
27 // Delay the check until after the postMessage has a chance to exe
cute. | 27 // Delay the check until after the postMessage has a chance to exe
cute. |
28 setTimeout(t.step_func_done(function () { | 28 setTimeout(t.step_func_done(function () { |
29 assert_true(loaded[generateURL("append")]); | 29 assert_true(loaded[generateURL("append")]); |
30 }, 1)); | 30 }, 1)); |
31 }); | 31 }); |
32 e.onerror = t.unreached_func("Error should not be triggered."); | 32 e.onerror = t.unreached_func("Error should not be triggered."); |
33 document.body.appendChild(e); | 33 document.body.appendChild(e); |
34 }, "Script injected via 'appendChild' is allowed with 'unsafe-dynamic'."
); | 34 }, "Script injected via 'appendChild' is allowed with 'strict-dynamic'."
); |
35 | 35 |
36 async_test(function (t) { | 36 async_test(function (t) { |
37 var e = document.createElement('script'); | 37 var e = document.createElement('script'); |
38 e.src = generateURL("append-async"); | 38 e.src = generateURL("append-async"); |
39 e.async = true; | 39 e.async = true; |
40 e.onload = t.step_func(function () { | 40 e.onload = t.step_func(function () { |
41 // Delay the check until after the postMessage has a chance to exe
cute. | 41 // Delay the check until after the postMessage has a chance to exe
cute. |
42 setTimeout(t.step_func_done(function () { | 42 setTimeout(t.step_func_done(function () { |
43 assert_true(loaded[generateURL("append-async")]); | 43 assert_true(loaded[generateURL("append-async")]); |
44 }, 1)); | 44 }, 1)); |
45 }); | 45 }); |
46 e.onerror = t.unreached_func("Error should not be triggered."); | 46 e.onerror = t.unreached_func("Error should not be triggered."); |
47 document.body.appendChild(e); | 47 document.body.appendChild(e); |
48 }, "Async script injected via 'appendChild' is allowed with 'unsafe-dyna
mic'."); | 48 }, "Async script injected via 'appendChild' is allowed with 'strict-dyna
mic'."); |
49 | 49 |
50 async_test(function (t) { | 50 async_test(function (t) { |
51 var e = document.createElement('script'); | 51 var e = document.createElement('script'); |
52 e.src = generateURL("append-defer"); | 52 e.src = generateURL("append-defer"); |
53 e.defer = true; | 53 e.defer = true; |
54 e.onload = t.step_func(function () { | 54 e.onload = t.step_func(function () { |
55 // Delay the check until after the postMessage has a chance to exe
cute. | 55 // Delay the check until after the postMessage has a chance to exe
cute. |
56 setTimeout(t.step_func_done(function () { | 56 setTimeout(t.step_func_done(function () { |
57 assert_true(loaded[generateURL("append-defer")]); | 57 assert_true(loaded[generateURL("append-defer")]); |
58 }, 1)); | 58 }, 1)); |
59 }); | 59 }); |
60 e.onerror = t.unreached_func("Error should not be triggered."); | 60 e.onerror = t.unreached_func("Error should not be triggered."); |
61 document.body.appendChild(e); | 61 document.body.appendChild(e); |
62 }, "Deferred script injected via 'appendChild' is allowed with 'unsafe-d
ynamic'."); | 62 }, "Deferred script injected via 'appendChild' is allowed with 'strict-d
ynamic'."); |
63 | 63 |
64 async_test(function (t) { | 64 async_test(function (t) { |
65 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); | 65 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); |
66 setTimeout(t.step_func_done(function () { | 66 setTimeout(t.step_func_done(function () { |
67 assert_equals(loaded[generateURL("write")], undefined); | 67 assert_equals(loaded[generateURL("write")], undefined); |
68 assert_true(blocked[65]); | 68 assert_true(blocked[65]); |
69 }, 1)); | 69 }, 1)); |
70 }, "Script injected via 'document.write' is not allowed with 'unsafe-dyn
amic'."); | 70 }, "Script injected via 'document.write' is not allowed with 'strict-dyn
amic'."); |
71 | 71 |
72 async_test(function (t) { | 72 async_test(function (t) { |
73 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); | 73 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); |
74 setTimeout(t.step_func_done(function () { | 74 setTimeout(t.step_func_done(function () { |
75 assert_equals(loaded[generateURL("write-defer")], undefined); | 75 assert_equals(loaded[generateURL("write-defer")], undefined); |
76 assert_true(blocked[73]); | 76 assert_true(blocked[73]); |
77 }, 1)); | 77 }, 1)); |
78 }, "Deferred script injected via 'document.write' is not allowed with 'u
nsafe-dynamic'."); | 78 }, "Deferred script injected via 'document.write' is not allowed with 's
trict-dynamic'."); |
79 | 79 |
80 async_test(function (t) { | 80 async_test(function (t) { |
81 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); | 81 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); |
82 setTimeout(t.step_func_done(function () { | 82 setTimeout(t.step_func_done(function () { |
83 assert_equals(loaded[generateURL("write-async")], undefined); | 83 assert_equals(loaded[generateURL("write-async")], undefined); |
84 assert_true(blocked[81]); | 84 assert_true(blocked[81]); |
85 }, 1)); | 85 }, 1)); |
86 }, "Async script injected via 'document.write' is not allowed with 'unsa
fe-dynamic'."); | 86 }, "Async script injected via 'document.write' is not allowed with 'stri
ct-dynamic'."); |
87 </script> | 87 </script> |
88 <script nonce="abcdefg" defer> | 88 <script nonce="abcdefg" defer> |
89 async_test(function (t) { | 89 async_test(function (t) { |
90 var e = document.createElement('script'); | 90 var e = document.createElement('script'); |
91 e.src = generateURL("defer-append"); | 91 e.src = generateURL("defer-append"); |
92 e.onload = t.step_func(function () { | 92 e.onload = t.step_func(function () { |
93 // Delay the check until after the postMessage has a chance to exe
cute. | 93 // Delay the check until after the postMessage has a chance to exe
cute. |
94 setTimeout(t.step_func_done(function () { | 94 setTimeout(t.step_func_done(function () { |
95 assert_true(loaded[generateURL("defer-append")]); | 95 assert_true(loaded[generateURL("defer-append")]); |
96 assert_equals(blocked[generateURL("defer-append")], undefined); | 96 assert_equals(blocked[generateURL("defer-append")], undefined); |
97 }, 1)); | 97 }, 1)); |
98 }); | 98 }); |
99 e.onerror = t.unreached_func("Error should not be triggered."); | 99 e.onerror = t.unreached_func("Error should not be triggered."); |
100 document.body.appendChild(e); | 100 document.body.appendChild(e); |
101 }, "Script injected via deferred 'appendChild' is allowed with 'unsafe-d
ynamic'."); | 101 }, "Script injected via deferred 'appendChild' is allowed with 'strict-d
ynamic'."); |
102 | 102 |
103 async_test(function (t) { | 103 async_test(function (t) { |
104 var e = document.createElement('script'); | 104 var e = document.createElement('script'); |
105 e.src = generateURL("defer-append-async"); | 105 e.src = generateURL("defer-append-async"); |
106 e.async = true; | 106 e.async = true; |
107 e.onload = t.step_func(function () { | 107 e.onload = t.step_func(function () { |
108 // Delay the check until after the postMessage has a chance to exe
cute. | 108 // Delay the check until after the postMessage has a chance to exe
cute. |
109 setTimeout(t.step_func_done(function () { | 109 setTimeout(t.step_func_done(function () { |
110 assert_true(loaded[generateURL("defer-append-async")]); | 110 assert_true(loaded[generateURL("defer-append-async")]); |
111 assert_equals(blocked[generateURL("defer-append-async")], undefi
ned); | 111 assert_equals(blocked[generateURL("defer-append-async")], undefi
ned); |
112 }, 1)); | 112 }, 1)); |
113 }); | 113 }); |
114 e.onerror = t.unreached_func("Error should not be triggered."); | 114 e.onerror = t.unreached_func("Error should not be triggered."); |
115 document.body.appendChild(e); | 115 document.body.appendChild(e); |
116 }, "Async script injected via deferred 'appendChild' is allowed with 'un
safe-dynamic'."); | 116 }, "Async script injected via deferred 'appendChild' is allowed with 'st
rict-dynamic'."); |
117 | 117 |
118 async_test(function (t) { | 118 async_test(function (t) { |
119 var e = document.createElement('script'); | 119 var e = document.createElement('script'); |
120 e.src = generateURL("defer-append-defer"); | 120 e.src = generateURL("defer-append-defer"); |
121 e.defer = true; | 121 e.defer = true; |
122 e.onload = t.step_func(function () { | 122 e.onload = t.step_func(function () { |
123 // Delay the check until after the postMessage has a chance to exe
cute. | 123 // Delay the check until after the postMessage has a chance to exe
cute. |
124 setTimeout(t.step_func_done(function () { | 124 setTimeout(t.step_func_done(function () { |
125 assert_true(loaded[generateURL("defer-append-defer")]); | 125 assert_true(loaded[generateURL("defer-append-defer")]); |
126 assert_equals(blocked[generateURL("defer-append-defer")], undefi
ned); | 126 assert_equals(blocked[generateURL("defer-append-defer")], undefi
ned); |
127 }, 1)); | 127 }, 1)); |
128 }); | 128 }); |
129 e.onerror = t.unreached_func("Error should not be triggered."); | 129 e.onerror = t.unreached_func("Error should not be triggered."); |
130 document.body.appendChild(e); | 130 document.body.appendChild(e); |
131 }, "Deferred script injected via deferred 'appendChild' is allowed with
'unsafe-dynamic'."); | 131 }, "Deferred script injected via deferred 'appendChild' is allowed with
'strict-dynamic'."); |
132 | 132 |
133 async_test(function (t) { | 133 async_test(function (t) { |
134 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); | 134 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); |
135 setTimeout(t.step_func_done(function () { | 135 setTimeout(t.step_func_done(function () { |
136 assert_equals(loaded[generateURL("defer-write")], undefined); | 136 assert_equals(loaded[generateURL("defer-write")], undefined); |
137 assert_true(blocked[134]); | 137 assert_true(blocked[134]); |
138 }, 1)); | 138 }, 1)); |
139 }, "Script injected via deferred 'document.write' is not allowed with 'u
nsafe-dynamic'."); | 139 }, "Script injected via deferred 'document.write' is not allowed with 's
trict-dynamic'."); |
140 | 140 |
141 async_test(function (t) { | 141 async_test(function (t) { |
142 document.write("<scr" + "ipt defer src='" + generateURL("defer-write-d
efer") + "'></scr" + "ipt>"); | 142 document.write("<scr" + "ipt defer src='" + generateURL("defer-write-d
efer") + "'></scr" + "ipt>"); |
143 setTimeout(t.step_func_done(function () { | 143 setTimeout(t.step_func_done(function () { |
144 assert_equals(loaded[generateURL("write-defer")], undefined); | 144 assert_equals(loaded[generateURL("write-defer")], undefined); |
145 assert_true(blocked[142]); | 145 assert_true(blocked[142]); |
146 }, 1)); | 146 }, 1)); |
147 }, "Deferred script injected via deferred 'document.write' is not allowe
d with 'unsafe-dynamic'."); | 147 }, "Deferred script injected via deferred 'document.write' is not allowe
d with 'strict-dynamic'."); |
148 | 148 |
149 async_test(function (t) { | 149 async_test(function (t) { |
150 document.write("<scr" + "ipt async src='" + generateURL("defer-write-a
sync") + "'></scr" + "ipt>"); | 150 document.write("<scr" + "ipt async src='" + generateURL("defer-write-a
sync") + "'></scr" + "ipt>"); |
151 setTimeout(t.step_func_done(function () { | 151 setTimeout(t.step_func_done(function () { |
152 assert_equals(loaded[generateURL("defer-write-async")], undefined); | 152 assert_equals(loaded[generateURL("defer-write-async")], undefined); |
153 assert_true(blocked[150]); | 153 assert_true(blocked[150]); |
154 }, 1)); | 154 }, 1)); |
155 }, "Async script injected via deferred 'document.write' is not allowed w
ith 'unsafe-dynamic'."); | 155 }, "Async script injected via deferred 'document.write' is not allowed w
ith 'strict-dynamic'."); |
156 </script> | 156 </script> |
157 </body> | 157 </body> |
158 </html> | 158 </html> |
OLD | NEW |