third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php - Issue 2260103003: CSP: Experimentally harden against nonce-stealing injections.

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php

Issue 2260103003: CSP: Experimentally harden against nonce-stealing injections. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: yoav@ Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php

diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php

index de270a1482783969b321b93693ea63e26aaddced..11ce01d80a5ff74ec745f2fb1ebc26f46cc5c81e 100644

--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php

+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php

@@ -6,17 +6,52 @@

async_test(t => {

- var watcher = new EventWatcher(t, document, ['securitypolicyviolation','securitypolicyviolation']);

+ var watcher = new EventWatcher(t, document, ['securitypolicyviolation', 'securitypolicyviolation','securitypolicyviolation', 'securitypolicyviolation','securitypolicyviolation','securitypolicyviolation', 'securitypolicyviolation', 'securitypolicyviolation']);

watcher

.wait_for('securitypolicyviolation')

.then(t.step_func(e => {

assert_equals(e.blockedURI, "inline");

- assert_equals(e.lineNumber, 23);

+ assert_equals(e.lineNumber, 58);

return watcher.wait_for('securitypolicyviolation');

}))

- .then(t.step_func_done(e => {

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "inline");

+ assert_equals(e.lineNumber, 61);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "inline");

+ assert_equals(e.lineNumber, 64);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func(e => {

assert_equals(e.blockedURI, "inline");

- assert_equals(e.lineNumber, 26);

+ assert_equals(e.lineNumber, 67);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "inline");

+ assert_equals(e.lineNumber, 70);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "https://evil.example.test/yay1.js");

+ assert_equals(e.lineNumber, 0);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "https://evil.example.test/yay2.js");

+ assert_equals(e.lineNumber, 0);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func(e => {

+ assert_equals(e.blockedURI, "https://evil.example.test/yay3.js");

+ assert_equals(e.lineNumber, 0);

+ return watcher.wait_for('securitypolicyviolation');

+ }))

+ .then(t.step_func_done(e => {

+ assert_equals(e.blockedURI, "https://evil.example.test/yay4.js");

+ assert_equals(e.lineNumber, 0);

}));

}, "Unnonced script blocks generate reports.");

@@ -29,6 +64,27 @@

unexecuted_test.assert_unreached("This code block should not execute.");

</script>

+<script <script nonce="abc">