Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(93)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php

Issue 2628733005: Experiment with hiding <script>'s 'nonce' content attribute. (Closed)
Patch Set: Ugh. Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/WebKit/LayoutTests/W3CImportExpectations ('K') | « third_party/WebKit/LayoutTests/fast/dom/element-attribute-js-null-expected.txt ('k') | third_party/WebKit/Source/core/dom/ScriptLoader.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php
new file mode 100644
index 0000000000000000000000000000000000000000..b2a5f04e7dba69038145e9dc6a1c5814e75af9d0
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php
@@ -0,0 +1,55 @@
+<?php
+ header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'none'");
+?>
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<!-- Basics -->
+<script nonce="abc">
+ test(t => {
+ assert_equals(document.querySelector('[nonce=abc]'), null);
+ assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
+ assert_equals(document.currentScript.nonce, 'abc');
+ }, "Reading 'nonce' content attribute and IDL attribute.");
+
+ test(t => {
+ document.currentScript.setAttribute('nonce', 'xyz');
+ assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
+ assert_equals(document.currentScript.nonce, 'xyz');
+ }, "Writing 'nonce' content attribute.");
+
+ test(t => {
+ assert_equals(document.currentScript.nonce, 'xyz');
+ document.currentScript.nonce = 'foo';
+ assert_equals(document.currentScript.nonce, 'foo');
+ }, "Writing 'nonce' DOM attribute.");
+
+ async_test(t => {
+ var script = document.currentScript;
+ assert_equals(script.nonce, 'foo');
+
+ setTimeout(_ => {
+ assert_equals(script.nonce, "");
+ t.done();
+ }, 1);
+ }, "'nonce' DOM attribute cleared after current task.");
+</script>
+
+<!-- CSS Leakage -->
+<style>
+ #test { display: block; }
+ #test[nonce=abc] { background: url(/security/resources/abe.png); }
+</style>
+<script nonce="abc">
+ var css_test = async_test(t => {
+ document.addEventListener('securitypolicyviolation', e => {
+ assert_unreached("No image should be requested via CSS.");
+ });
+ }, "Nonces don't leak via CSS side-channels.");
+</script>
+<script id="test" nonce="abc">
+ window.onload = e => {
+ css_test.done();
+ };
+</script>
« third_party/WebKit/LayoutTests/W3CImportExpectations ('K') | « third_party/WebKit/LayoutTests/fast/dom/element-attribute-js-null-expected.txt ('k') | third_party/WebKit/Source/core/dom/ScriptLoader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698