third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php - Issue 2628733005: Experiment with hiding <script>'s 'nonce' content attribute.

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php

Issue 2628733005: Experiment with hiding <script>'s 'nonce' content attribute. (Closed)

Patch Set: Ugh. Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« third_party/WebKit/LayoutTests/W3CImportExpectations ('K') | « third_party/WebKit/LayoutTests/fast/dom/element-attribute-js-null-expected.txt ('k') | third_party/WebKit/Source/core/dom/ScriptLoader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <?php

	2 header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'non e'");

	3 ?>

	4 <!doctype html>

	5 <script src="/resources/testharness.js"></script>

	6 <script src="/resources/testharnessreport.js"></script>

	7 <body>

	8 <!-- Basics -->

	9 <script nonce="abc">

	10 test(t => {

	11 assert_equals(document.querySelector('[nonce=abc]'), null);

	12 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');

	13 assert_equals(document.currentScript.nonce, 'abc');

	14 }, "Reading 'nonce' content attribute and IDL attribute.");

	15

	16 test(t => {

	17 document.currentScript.setAttribute('nonce', 'xyz');

	18 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');

	19 assert_equals(document.currentScript.nonce, 'xyz');

	20 }, "Writing 'nonce' content attribute.");

	21

	22 test(t => {

	23 assert_equals(document.currentScript.nonce, 'xyz');

	24 document.currentScript.nonce = 'foo';

	25 assert_equals(document.currentScript.nonce, 'foo');

	26 }, "Writing 'nonce' DOM attribute.");

	27

	28 async_test(t => {

	29 var script = document.currentScript;

	30 assert_equals(script.nonce, 'foo');

	31

	32 setTimeout(_ => {

	33 assert_equals(script.nonce, "");

	34 t.done();

	35 }, 1);

	36 }, "'nonce' DOM attribute cleared after current task.");

	37 </script>

	38

	39 <!-- CSS Leakage -->

	40 <style>

	41 #test { display: block; }

	42 #test[nonce=abc] { background: url(/security/resources/abe.png); }

	43 </style>

	44 <script nonce="abc">

	45 var css_test = async_test(t => {

	46 document.addEventListener('securitypolicyviolation', e => {

	47 assert_unreached("No image should be requested via CSS.");

	48 });

	49 }, "Nonces don't leak via CSS side-channels.");

	50 </script>

	51 <script id="test" nonce="abc">

	52 window.onload = e => {

	53 css_test.done();

	54 };

	55 </script>

OLD	NEW