third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic.html - Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies.

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic.html

Issue 2401573003: CSP: Fix 'strict-dynamic' with multiple policies. (Closed)

Patch Set: Tests compile. Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-whitelist.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
	(Empty)
1 <!DOCTYPE html>

2 <html>

3 <head>

4 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdef g' 'strict-dynamic'">

5 <script src="/resources/testharness.js" nonce="abcdefg"></script>

6 <script src="/resources/testharnessreport.js" nonce="abcdefg"></script>

7 </head>

8 <body>

9 <script nonce="abcdefg">

10 function generateURL(type) {

11 return 'http://localhost:8000/security/contentSecurityPolicy/resources /loaded.js?' + type;

12 }

13

14 var loaded = {};

15 var blocked = {};

16 window.addEventListener("message", function (e) {

17 loaded[e.data] = true;

18 });

19 document.addEventListener("securitypolicyviolation", function (e) {

20 blocked[e.lineNumber] = true;

21 });

22 </script>

23 <!-- Need to individually wrap test cases in script blocks. Violation report s triggered by document.write() calls while the parser is waiting on blocking sc ipts are missing line numbers. See: https://crbug.com/649085. -->

24 <script nonce="abcdefg">

25 async_test(function (t) {

26 var e = document.createElement('script');

27 e.src = generateURL("append");

28 e.onload = t.step_func(function () {

29 // Delay the check until after the postMessage has a chance to exe cute.

30 setTimeout(t.step_func_done(function () {

31 assert_true(loaded[generateURL("append")]);

32 }), 1);

33 });

34 e.onerror = t.unreached_func("Error should not be triggered.");

35 document.body.appendChild(e);

36 }, "Script injected via 'appendChild' is allowed with 'strict-dynamic'." );

37 </script>

38 <script nonce="abcdefg">

39 async_test(function (t) {

40 var e = document.createElement('script');

41 e.src = generateURL("append-async");

42 e.async = true;

43 e.onload = t.step_func(function () {

44 // Delay the check until after the postMessage has a chance to exe cute.

45 setTimeout(t.step_func_done(function () {

46 assert_true(loaded[generateURL("append-async")]);

47 }), 1);

48 });

49 e.onerror = t.unreached_func("Error should not be triggered.");

50 document.body.appendChild(e);

51 }, "Async script injected via 'appendChild' is allowed with 'strict-dyna mic'.");

52 </script>

53 <script nonce="abcdefg">

54 async_test(function (t) {

55 var e = document.createElement('script');

56 e.src = generateURL("append-defer");

57 e.defer = true;

58 e.onload = t.step_func(function () {

59 // Delay the check until after the postMessage has a chance to exe cute.

60 setTimeout(t.step_func_done(function () {

61 assert_true(loaded[generateURL("append-defer")]);

62 }), 1);

63 });

64 e.onerror = t.unreached_func("Error should not be triggered.");

65 document.body.appendChild(e);

66 }, "Deferred script injected via 'appendChild' is allowed with 'strict-d ynamic'.");

67 </script>

68 <script nonce="abcdefg">

69 async_test(function (t) {

70 document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");

71 setTimeout(t.step_func_done(function () {

72 assert_equals(loaded[generateURL("write")], undefined);

73 assert_true(blocked[70]);

74 }), 1);

75 }, "Script injected via 'document.write' is not allowed with 'strict-dyn amic'.");

76 </script>

77 <script nonce="abcdefg">

78 async_test(function (t) {

79 document.write("<scr" + "ipt defer src='" + generateURL("write-defer") + "'></scr" + "ipt>");

80 setTimeout(t.step_func_done(function () {

81 assert_equals(loaded[generateURL("write-defer")], undefined);

82 assert_true(blocked[79]);

83 }), 1);

84 }, "Deferred script injected via 'document.write' is not allowed with 's trict-dynamic'.");

85 </script>

86 <script nonce="abcdefg">

87 async_test(function (t) {

88 document.write("<scr" + "ipt async src='" + generateURL("write-async") + "'></scr" + "ipt>");

89 setTimeout(t.step_func_done(function () {

90 assert_equals(loaded[generateURL("write-async")], undefined);

91 assert_true(blocked[88]);

92 }), 1);

93 }, "Async script injected via 'document.write' is not allowed with 'stri ct-dynamic'.");

94 </script>

95 <script nonce="abcdefg" defer>

96 async_test(function (t) {

97 var e = document.createElement('script');

98 e.src = generateURL("defer-append");

99 e.onload = t.step_func(function () {

100 // Delay the check until after the postMessage has a chance to exe cute.

101 setTimeout(t.step_func_done(function () {

102 assert_true(loaded[generateURL("defer-append")]);

103 assert_equals(blocked[generateURL("defer-append")], undefined);

104 }), 1);

105 });

106 e.onerror = t.unreached_func("Error should not be triggered.");

107 document.body.appendChild(e);

108 }, "Script injected via deferred 'appendChild' is allowed with 'strict-d ynamic'.");

109 </script>

110 <script nonce="abcdefg" defer>

111 async_test(function (t) {

112 var e = document.createElement('script');

113 e.src = generateURL("defer-append-async");

114 e.async = true;

115 e.onload = t.step_func(function () {

116 // Delay the check until after the postMessage has a chance to exe cute.

117 setTimeout(t.step_func_done(function () {

118 assert_true(loaded[generateURL("defer-append-async")]);

119 assert_equals(blocked[generateURL("defer-append-async")], undefi ned);

120 }), 1);

121 });

122 e.onerror = t.unreached_func("Error should not be triggered.");

123 document.body.appendChild(e);

124 }, "Async script injected via deferred 'appendChild' is allowed with 'st rict-dynamic'.");

125 </script>

126 <script nonce="abcdefg" defer>

127 async_test(function (t) {

128 var e = document.createElement('script');

129 e.src = generateURL("defer-append-defer");

130 e.defer = true;

131 e.onload = t.step_func(function () {

132 // Delay the check until after the postMessage has a chance to exe cute.

133 setTimeout(t.step_func_done(function () {

134 assert_true(loaded[generateURL("defer-append-defer")]);

135 assert_equals(blocked[generateURL("defer-append-defer")], undefi ned);

136 }), 1);

137 });

138 e.onerror = t.unreached_func("Error should not be triggered.");

139 document.body.appendChild(e);

140 }, "Deferred script injected via deferred 'appendChild' is allowed with 'strict-dynamic'.");

141 </script>

142 <script nonce="abcdefg" defer>

143 async_test(function (t) {

144 document.write("<scr" + "ipt src='" + generateURL("defer-write") + "'> </scr" + "ipt>");

145 setTimeout(t.step_func_done(function () {

146 assert_equals(loaded[generateURL("defer-write")], undefined);

147 assert_true(blocked[144]);

148 }), 1);

149 }, "Script injected via deferred 'document.write' is not allowed with 's trict-dynamic'.");

150 </script>

151 <script nonce="abcdefg" defer>

152 async_test(function (t) {

153 document.write("<scr" + "ipt defer src='" + generateURL("defer-write-d efer") + "'></scr" + "ipt>");

154 setTimeout(t.step_func_done(function () {

155 assert_equals(loaded[generateURL("defer-write-defer")], undefined);

156 assert_true(blocked[153]);

157 }), 1);

158 }, "Deferred script injected via deferred 'document.write' is not allowe d with 'strict-dynamic'.");

159 </script>

160 <script nonce="abcdefg" defer>

161 async_test(function (t) {

162 document.write("<scr" + "ipt async src='" + generateURL("defer-write-a sync") + "'></scr" + "ipt>");

163 setTimeout(t.step_func_done(function () {

164 assert_equals(loaded[generateURL("defer-write-async")], undefined);

165 assert_true(blocked[162]);

166 }), 1);

167 }, "Async script injected via deferred 'document.write' is not allowed w ith 'strict-dynamic'.");

168 </script>

169 </body>

170 </html>

OLD	NEW