Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(40)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic.html

Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies. (Closed)
Patch Set: Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-whitelist.html » ('j') | third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <html>
3 <head>
4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef g' 'strict-dynamic'">
5 <script src="/resources/testharness.js" nonce="abcdefg"></script>
6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script>
7 </head>
8 <body>
9 <script nonce="abcdefg">
10 function generateURL(type) {
11 return 'http://localhost:8000/security/contentSecurityPolicy/resources /loaded.js?' + type;
12 }
13
14 var loaded = {};
15 var blocked = {};
16 window.addEventListener("message", function (e) {
17 loaded[e.data] = true;
18 });
19 document.addEventListener("securitypolicyviolation", function (e) {
20 blocked[e.lineNumber] = true;
21 });
22 </script>
23 <!-- Need to individually wrap test cases in script blocks. Violation report s triggered by document.write() calls while the parser is waiting on blocking sc ipts are missing line numbers. See: https://crbug.com/649085. -->
24 <script nonce="abcdefg">
25 async_test(function (t) {
26 var e = document.createElement('script');
27 e.src = generateURL("append");
28 e.onload = t.step_func(function () {
29 // Delay the check until after the postMessage has a chance to exe cute.
30 setTimeout(t.step_func_done(function () {
31 assert_true(loaded[generateURL("append")]);
32 }), 1);
33 });
34 e.onerror = t.unreached_func("Error should not be triggered.");
35 document.body.appendChild(e);
36 }, "Script injected via 'appendChild' is allowed with 'strict-dynamic'." );
37 </script>
38 <script nonce="abcdefg">
39 async_test(function (t) {
40 var e = document.createElement('script');
41 e.src = generateURL("append-async");
42 e.async = true;
43 e.onload = t.step_func(function () {
44 // Delay the check until after the postMessage has a chance to exe cute.
45 setTimeout(t.step_func_done(function () {
46 assert_true(loaded[generateURL("append-async")]);
47 }), 1);
48 });
49 e.onerror = t.unreached_func("Error should not be triggered.");
50 document.body.appendChild(e);
51 }, "Async script injected via 'appendChild' is allowed with 'strict-dyna mic'.");
52 </script>
53 <script nonce="abcdefg">
54 async_test(function (t) {
55 var e = document.createElement('script');
56 e.src = generateURL("append-defer");
57 e.defer = true;
58 e.onload = t.step_func(function () {
59 // Delay the check until after the postMessage has a chance to exe cute.
60 setTimeout(t.step_func_done(function () {
61 assert_true(loaded[generateURL("append-defer")]);
62 }), 1);
63 });
64 e.onerror = t.unreached_func("Error should not be triggered.");
65 document.body.appendChild(e);
66 }, "Deferred script injected via 'appendChild' is allowed with 'strict-d ynamic'.");
67 </script>
68 <script nonce="abcdefg">
69 async_test(function (t) {
70 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");
71 setTimeout(t.step_func_done(function () {
72 assert_equals(loaded[generateURL("write")], undefined);
73 assert_true(blocked[70]);
74 }), 1);
75 }, "Script injected via 'document.write' is not allowed with 'strict-dyn amic'.");
76 </script>
77 <script nonce="abcdefg">
78 async_test(function (t) {
79 document.write("<scr" + "ipt defer src='" + generateURL("write-defer") + "'></scr" + "ipt>");
80 setTimeout(t.step_func_done(function () {
81 assert_equals(loaded[generateURL("write-defer")], undefined);
82 assert_true(blocked[79]);
83 }), 1);
84 }, "Deferred script injected via 'document.write' is not allowed with 's trict-dynamic'.");
85 </script>
86 <script nonce="abcdefg">
87 async_test(function (t) {
88 document.write("<scr" + "ipt async src='" + generateURL("write-async") + "'></scr" + "ipt>");
89 setTimeout(t.step_func_done(function () {
90 assert_equals(loaded[generateURL("write-async")], undefined);
91 assert_true(blocked[88]);
92 }), 1);
93 }, "Async script injected via 'document.write' is not allowed with 'stri ct-dynamic'.");
94 </script>
95 <script nonce="abcdefg" defer>
96 async_test(function (t) {
97 var e = document.createElement('script');
98 e.src = generateURL("defer-append");
99 e.onload = t.step_func(function () {
100 // Delay the check until after the postMessage has a chance to exe cute.
101 setTimeout(t.step_func_done(function () {
102 assert_true(loaded[generateURL("defer-append")]);
103 assert_equals(blocked[generateURL("defer-append")], undefined);
104 }), 1);
105 });
106 e.onerror = t.unreached_func("Error should not be triggered.");
107 document.body.appendChild(e);
108 }, "Script injected via deferred 'appendChild' is allowed with 'strict-d ynamic'.");
109 </script>
110 <script nonce="abcdefg" defer>
111 async_test(function (t) {
112 var e = document.createElement('script');
113 e.src = generateURL("defer-append-async");
114 e.async = true;
115 e.onload = t.step_func(function () {
116 // Delay the check until after the postMessage has a chance to exe cute.
117 setTimeout(t.step_func_done(function () {
118 assert_true(loaded[generateURL("defer-append-async")]);
119 assert_equals(blocked[generateURL("defer-append-async")], undefi ned);
120 }), 1);
121 });
122 e.onerror = t.unreached_func("Error should not be triggered.");
123 document.body.appendChild(e);
124 }, "Async script injected via deferred 'appendChild' is allowed with 'st rict-dynamic'.");
125 </script>
126 <script nonce="abcdefg" defer>
127 async_test(function (t) {
128 var e = document.createElement('script');
129 e.src = generateURL("defer-append-defer");
130 e.defer = true;
131 e.onload = t.step_func(function () {
132 // Delay the check until after the postMessage has a chance to exe cute.
133 setTimeout(t.step_func_done(function () {
134 assert_true(loaded[generateURL("defer-append-defer")]);
135 assert_equals(blocked[generateURL("defer-append-defer")], undefi ned);
136 }), 1);
137 });
138 e.onerror = t.unreached_func("Error should not be triggered.");
139 document.body.appendChild(e);
140 }, "Deferred script injected via deferred 'appendChild' is allowed with 'strict-dynamic'.");
141 </script>
142 <script nonce="abcdefg" defer>
143 async_test(function (t) {
144 document.write("<scr" + "ipt src='" + generateURL("defer-write") + "'> </scr" + "ipt>");
145 setTimeout(t.step_func_done(function () {
146 assert_equals(loaded[generateURL("defer-write")], undefined);
147 assert_true(blocked[144]);
148 }), 1);
149 }, "Script injected via deferred 'document.write' is not allowed with 's trict-dynamic'.");
150 </script>
151 <script nonce="abcdefg" defer>
152 async_test(function (t) {
153 document.write("<scr" + "ipt defer src='" + generateURL("defer-write-d efer") + "'></scr" + "ipt>");
154 setTimeout(t.step_func_done(function () {
155 assert_equals(loaded[generateURL("defer-write-defer")], undefined);
156 assert_true(blocked[153]);
157 }), 1);
158 }, "Deferred script injected via deferred 'document.write' is not allowe d with 'strict-dynamic'.");
159 </script>
160 <script nonce="abcdefg" defer>
161 async_test(function (t) {
162 document.write("<scr" + "ipt async src='" + generateURL("defer-write-a sync") + "'></scr" + "ipt>");
163 setTimeout(t.step_func_done(function () {
164 assert_equals(loaded[generateURL("defer-write-async")], undefined);
165 assert_true(blocked[162]);
166 }), 1);
167 }, "Async script injected via deferred 'document.write' is not allowed w ith 'strict-dynamic'.");
168 </script>
169 </body>
170 </html>
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-whitelist.html » ('j') | third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698