OLD | NEW |
(Empty) | |
| 1 <?php |
| 2 header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'non
e'"); |
| 3 ?> |
| 4 <!doctype html> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <body> |
| 8 <!-- Basics --> |
| 9 <script nonce="abc"> |
| 10 test(t => { |
| 11 assert_equals(document.querySelector('[nonce=abc]'), null); |
| 12 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
| 13 assert_equals(document.currentScript.nonce, 'abc'); |
| 14 }, "Reading 'nonce' content attribute and IDL attribute."); |
| 15 |
| 16 test(t => { |
| 17 document.currentScript.setAttribute('nonce', 'xyz'); |
| 18 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
| 19 assert_equals(document.currentScript.nonce, 'xyz'); |
| 20 }, "Writing 'nonce' content attribute."); |
| 21 |
| 22 test(t => { |
| 23 assert_equals(document.currentScript.nonce, 'xyz'); |
| 24 document.currentScript.nonce = 'foo'; |
| 25 assert_equals(document.currentScript.nonce, 'foo'); |
| 26 }, "Writing 'nonce' DOM attribute."); |
| 27 |
| 28 async_test(t => { |
| 29 var script = document.currentScript; |
| 30 assert_equals(script.nonce, 'foo'); |
| 31 |
| 32 setTimeout(_ => { |
| 33 assert_equals(script.nonce, ""); |
| 34 t.done(); |
| 35 }, 1); |
| 36 }, "'nonce' DOM attribute cleared after current task."); |
| 37 </script> |
| 38 |
| 39 <!-- CSS Leakage --> |
| 40 <style> |
| 41 #test { display: block; } |
| 42 #test[nonce=abc] { background: url(/security/resources/abe.png); } |
| 43 </style> |
| 44 <script nonce="abc"> |
| 45 var css_test = async_test(t => { |
| 46 document.addEventListener('securitypolicyviolation', e => { |
| 47 assert_unreached("No image should be requested via CSS."); |
| 48 }); |
| 49 }, "Nonces don't leak via CSS side-channels."); |
| 50 </script> |
| 51 <script id="test" nonce="abc"> |
| 52 window.onload = e => { |
| 53 css_test.done(); |
| 54 }; |
| 55 </script> |
OLD | NEW |