OLD | NEW |
1 <?php | 1 <?php |
2 header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'non
e'"); | 2 header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'non
e'"); |
3 ?> | 3 ?> |
4 <!doctype html> | 4 <!doctype html> |
5 <script src="/resources/testharness.js"></script> | 5 <script src="/resources/testharness.js"></script> |
6 <script src="/resources/testharnessreport.js"></script> | 6 <script src="/resources/testharnessreport.js"></script> |
7 <body> | 7 <body> |
8 <!-- Basics --> | 8 <!-- Basics --> |
9 <script nonce="abc"> | 9 <script nonce="abc"> |
10 test(t => { | 10 test(t => { |
11 assert_equals(document.querySelector('[nonce=abc]'), null); | 11 assert_equals(document.querySelector('[nonce=abc]'), null); |
12 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); | 12 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
13 assert_equals(document.currentScript.nonce, 'abc'); | 13 assert_equals(document.currentScript.nonce, 'abc'); |
14 }, "Reading 'nonce' content attribute and IDL attribute."); | 14 }, "HTML: Reading 'nonce' content attribute and IDL attribute."); |
15 | 15 |
16 test(t => { | 16 test(t => { |
17 document.currentScript.setAttribute('nonce', 'xyz'); | 17 document.currentScript.setAttribute('nonce', 'xyz'); |
18 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); | 18 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
19 assert_equals(document.currentScript.nonce, 'xyz'); | 19 assert_equals(document.currentScript.nonce, 'xyz'); |
20 }, "Writing 'nonce' content attribute."); | 20 }, "HTML: Writing 'nonce' content attribute."); |
21 | 21 |
22 test(t => { | 22 test(t => { |
23 assert_equals(document.currentScript.nonce, 'xyz'); | 23 assert_equals(document.currentScript.nonce, 'xyz'); |
24 document.currentScript.nonce = 'foo'; | 24 document.currentScript.nonce = 'foo'; |
25 assert_equals(document.currentScript.nonce, 'foo'); | 25 assert_equals(document.currentScript.nonce, 'foo'); |
26 }, "Writing 'nonce' DOM attribute."); | 26 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
| 27 }, "HTML: Writing 'nonce' DOM attribute."); |
27 | 28 |
28 async_test(t => { | 29 async_test(t => { |
29 var script = document.currentScript; | 30 var script = document.currentScript; |
30 assert_equals(script.nonce, 'foo'); | 31 assert_equals(script.nonce, 'foo'); |
31 | 32 |
32 setTimeout(_ => { | 33 setTimeout(t.step_func_done(_ => { |
33 assert_equals(script.nonce, ""); | 34 assert_equals(script.nonce, "foo"); |
34 t.done(); | 35 }), 1); |
35 }, 1); | 36 }, "HTML: 'nonce' DOM attribute present after current task."); |
36 }, "'nonce' DOM attribute cleared after current task."); | |
37 </script> | 37 </script> |
38 | 38 |
| 39 <!-- SVGScriptElement --> |
| 40 <svg xmlns="http://www.w3.org/2000/svg"> |
| 41 <script nonce="abc"> |
| 42 test(t => { |
| 43 assert_equals(document.querySelector('[nonce=abc]'), null); |
| 44 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
| 45 assert_equals(document.currentScript.nonce, 'abc'); |
| 46 }, "SVG: Reading 'nonce' content attribute and IDL attribute."); |
| 47 |
| 48 test(t => { |
| 49 document.currentScript.setAttribute('nonce', 'xyz'); |
| 50 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
| 51 assert_equals(document.currentScript.nonce, 'xyz'); |
| 52 }, "SVG: Writing 'nonce' content attribute."); |
| 53 |
| 54 test(t => { |
| 55 assert_equals(document.currentScript.nonce, 'xyz'); |
| 56 document.currentScript.nonce = 'foo'; |
| 57 assert_equals(document.currentScript.nonce, 'foo'); |
| 58 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); |
| 59 }, "SVG: Writing 'nonce' DOM attribute."); |
| 60 |
| 61 async_test(t => { |
| 62 var script = document.currentScript; |
| 63 assert_equals(script.nonce, 'foo'); |
| 64 |
| 65 setTimeout(t.step_func_done(_ => { |
| 66 assert_equals(script.nonce, "foo"); |
| 67 }), 1); |
| 68 }, "SVG: 'nonce' DOM attribute present after current task."); |
| 69 </script> |
| 70 </svg> |
| 71 |
39 <!-- CSS Leakage --> | 72 <!-- CSS Leakage --> |
40 <style> | 73 <style> |
41 #test { display: block; } | 74 #test { display: block; } |
42 #test[nonce=abc] { background: url(/security/resources/abe.png); } | 75 #test[nonce=abc] { background: url(/security/resources/abe.png); } |
43 </style> | 76 </style> |
44 <script nonce="abc"> | 77 <script nonce="abc"> |
45 var css_test = async_test(t => { | 78 var css_test = async_test(t => { |
46 document.addEventListener('securitypolicyviolation', e => { | 79 document.addEventListener('securitypolicyviolation', e => { |
47 assert_unreached("No image should be requested via CSS."); | 80 assert_unreached("No image should be requested via CSS."); |
48 }); | 81 }); |
49 }, "Nonces don't leak via CSS side-channels."); | 82 }, "Nonces don't leak via CSS side-channels."); |
50 </script> | 83 </script> |
51 <script id="test" nonce="abc"> | 84 <script id="test" nonce="abc"> |
52 window.onload = e => { | 85 window.onload = e => { |
53 css_test.done(); | 86 css_test.done(); |
54 }; | 87 }; |
55 </script> | 88 </script> |
OLD | NEW |