| Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php
|
| diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php
|
| index de270a1482783969b321b93693ea63e26aaddced..e427c6d85ee31bce286d1fff6526a1cd75cc04ed 100644
|
| --- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php
|
| +++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php
|
| @@ -6,17 +6,42 @@
|
| <script src="/resources/testharnessreport.js"></script>
|
| <script nonce="abc">
|
| async_test(t => {
|
| - var watcher = new EventWatcher(t, document, ['securitypolicyviolation','securitypolicyviolation']);
|
| + var watcher = new EventWatcher(t, document, ['securitypolicyviolation', 'securitypolicyviolation','securitypolicyviolation','securitypolicyviolation', 'securitypolicyviolation', 'securitypolicyviolation']);
|
| watcher
|
| .wait_for('securitypolicyviolation')
|
| .then(t.step_func(e => {
|
| assert_equals(e.blockedURI, "inline");
|
| - assert_equals(e.lineNumber, 23);
|
| + assert_equals(e.lineNumber, 48);
|
| return watcher.wait_for('securitypolicyviolation');
|
| }))
|
| - .then(t.step_func_done(e => {
|
| + .then(t.step_func(e => {
|
| + assert_equals(e.blockedURI, "inline");
|
| + assert_equals(e.lineNumber, 51);
|
| + return watcher.wait_for('securitypolicyviolation');
|
| + }))
|
| + .then(t.step_func(e => {
|
| assert_equals(e.blockedURI, "inline");
|
| - assert_equals(e.lineNumber, 26);
|
| + assert_equals(e.lineNumber, 54);
|
| + return watcher.wait_for('securitypolicyviolation');
|
| + }))
|
| + .then(t.step_func(e => {
|
| + assert_equals(e.blockedURI, "inline");
|
| + assert_equals(e.lineNumber, 57);
|
| + return watcher.wait_for('securitypolicyviolation');
|
| + }))
|
| + .then(t.step_func(e => {
|
| + assert_equals(e.blockedURI, "inline");
|
| + assert_equals(e.lineNumber, 60);
|
| + return watcher.wait_for('securitypolicyviolation');
|
| + }))
|
| + .then(t.step_func(e => {
|
| + assert_equals(e.blockedURI, "https://evil.example.test/yay1.js");
|
| + assert_equals(e.lineNumber, 0);
|
| + return watcher.wait_for('securitypolicyviolation');
|
| + }))
|
| + .then(t.step_func_done(e => {
|
| + assert_equals(e.blockedURI, "https://evil.example.test/yay2.js");
|
| + assert_equals(e.lineNumber, 0);
|
| }));
|
| }, "Unnonced script blocks generate reports.");
|
|
|
| @@ -29,6 +54,21 @@
|
| <script nonce="xyz">
|
| unexecuted_test.assert_unreached("This code block should not execute.");
|
| </script>
|
| +<script <script nonce="abc">
|
| + unexecuted_test.assert_unreached("This code block should not execute.");
|
| +</script>
|
| +<script attribute<script nonce="abc">
|
| + unexecuted_test.assert_unreached("This code block should not execute.");
|
| +</script>
|
| +<script attribute=<script nonce="abc">
|
| + unexecuted_test.assert_unreached("This code block should not execute.");
|
| +</script>
|
| +<script src=https://evil.example.test/yay1.js <script nonce="abc">
|
| + unexecuted_test.assert_unreached("This code block should not execute.");
|
| +</script>
|
| +<script src=https://evil.example.test/yay2.js attribute=<script nonce="abc">
|
| + unexecuted_test.assert_unreached("This code block should not execute.");
|
| +</script>
|
| <script nonce="abc">
|
| executed_test.done();
|
| unexecuted_test.done();
|
|
|
Chromium Code Reviews
Issue 2260103003:
CSP: Experimentally harden against nonce-stealing injections. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master