OLD | NEW |
| (Empty) |
1 <!DOCTYPE html> | |
2 <html> | |
3 <head> | |
4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef
g' 'unsafe-dynamic' http://localhost:8000"> | |
5 <script src="/resources/testharness.js" nonce="abcdefg"></script> | |
6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script> | |
7 </head> | |
8 <body> | |
9 <script nonce="abcdefg"> | |
10 function generateURL(type) { | |
11 return 'http://localhost:8000/security/contentSecurityPolicy/resources
/loaded.js?' + type; | |
12 } | |
13 | |
14 var loaded = {}; | |
15 var blocked = {}; | |
16 window.addEventListener("message", function (e) { | |
17 loaded[e.data] = true; | |
18 }); | |
19 document.addEventListener("securitypolicyviolation", function (e) { | |
20 blocked[e.lineNumber] = true; | |
21 }); | |
22 | |
23 async_test(function (t) { | |
24 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr"
+ "ipt>"); | |
25 setTimeout(t.step_func_done(function () { | |
26 assert_equals(loaded[generateURL("write")], undefined); | |
27 assert_true(blocked[24]); | |
28 }, 1)); | |
29 }, "Script injected via 'document.write' is not allowed with 'unsafe-dyn
amic', even if whitelisted."); | |
30 | |
31 async_test(function (t) { | |
32 document.write("<scr" + "ipt defer src='" + generateURL("write-defer")
+ "'></scr" + "ipt>"); | |
33 setTimeout(t.step_func_done(function () { | |
34 assert_equals(loaded[generateURL("write-defer")], undefined); | |
35 assert_true(blocked[32]); | |
36 }, 1)); | |
37 }, "Deferred script injected via 'document.write' is not allowed with 'u
nsafe-dynamic', even if whitelisted."); | |
38 | |
39 async_test(function (t) { | |
40 document.write("<scr" + "ipt async src='" + generateURL("write-async")
+ "'></scr" + "ipt>"); | |
41 setTimeout(t.step_func_done(function () { | |
42 assert_equals(loaded[generateURL("write-async")], undefined); | |
43 assert_true(blocked[40]); | |
44 }, 1)); | |
45 }, "Async script injected via 'document.write' is not allowed with 'unsa
fe-dynamic', even if whitelisted."); | |
46 </script> | |
47 </body> | |
48 </html> | |
OLD | NEW |