Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1549)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-nonces-hidden.php

Issue 2644143005: Adjust the <script nonce>-hiding experiment (Closed)
Patch Set: webexposed Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 <?php 1 <?php
2 header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'non e'"); 2 header("Content-Security-Policy: script-src 'self' 'nonce-abc'; img-src 'non e'");
3 ?> 3 ?>
4 <!doctype html> 4 <!doctype html>
5 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharness.js"></script>
6 <script src="/resources/testharnessreport.js"></script> 6 <script src="/resources/testharnessreport.js"></script>
7 <body> 7 <body>
8 <!-- Basics --> 8 <!-- Basics -->
9 <script nonce="abc"> 9 <script nonce="abc">
10 test(t => { 10 test(t => {
11 assert_equals(document.querySelector('[nonce=abc]'), null); 11 assert_equals(document.querySelector('[nonce=abc]'), null);
12 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); 12 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
13 assert_equals(document.currentScript.nonce, 'abc'); 13 assert_equals(document.currentScript.nonce, 'abc');
14 }, "Reading 'nonce' content attribute and IDL attribute."); 14 }, "HTML: Reading 'nonce' content attribute and IDL attribute.");
15 15
16 test(t => { 16 test(t => {
17 document.currentScript.setAttribute('nonce', 'xyz'); 17 document.currentScript.setAttribute('nonce', 'xyz');
18 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]'); 18 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
19 assert_equals(document.currentScript.nonce, 'xyz'); 19 assert_equals(document.currentScript.nonce, 'xyz');
20 }, "Writing 'nonce' content attribute."); 20 }, "HTML: Writing 'nonce' content attribute.");
21 21
22 test(t => { 22 test(t => {
23 assert_equals(document.currentScript.nonce, 'xyz'); 23 assert_equals(document.currentScript.nonce, 'xyz');
24 document.currentScript.nonce = 'foo'; 24 document.currentScript.nonce = 'foo';
25 assert_equals(document.currentScript.nonce, 'foo'); 25 assert_equals(document.currentScript.nonce, 'foo');
26 }, "Writing 'nonce' DOM attribute."); 26 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
27 }, "HTML: Writing 'nonce' DOM attribute.");
27 28
28 async_test(t => { 29 async_test(t => {
29 var script = document.currentScript; 30 var script = document.currentScript;
30 assert_equals(script.nonce, 'foo'); 31 assert_equals(script.nonce, 'foo');
31 32
32 setTimeout(_ => { 33 setTimeout(t.step_func_done(_ => {
33 assert_equals(script.nonce, ""); 34 assert_equals(script.nonce, "foo");
34 t.done(); 35 }), 1);
35 }, 1); 36 }, "HTML: 'nonce' DOM attribute present after current task.");
36 }, "'nonce' DOM attribute cleared after current task.");
37 </script> 37 </script>
38 38
39 <!-- SVGScriptElement -->
40 <svg xmlns="http://www.w3.org/2000/svg">
41 <script nonce="abc">
42 test(t => {
43 assert_equals(document.querySelector('[nonce=abc]'), null);
44 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
45 assert_equals(document.currentScript.nonce, 'abc');
46 }, "SVG: Reading 'nonce' content attribute and IDL attribute.");
47
48 test(t => {
49 document.currentScript.setAttribute('nonce', 'xyz');
50 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
51 assert_equals(document.currentScript.nonce, 'xyz');
52 }, "SVG: Writing 'nonce' content attribute.");
53
54 test(t => {
55 assert_equals(document.currentScript.nonce, 'xyz');
56 document.currentScript.nonce = 'foo';
57 assert_equals(document.currentScript.nonce, 'foo');
58 assert_equals(document.currentScript.getAttribute('nonce'), '[Replaced]');
59 }, "SVG: Writing 'nonce' DOM attribute.");
60
61 async_test(t => {
62 var script = document.currentScript;
63 assert_equals(script.nonce, 'foo');
64
65 setTimeout(t.step_func_done(_ => {
66 assert_equals(script.nonce, "foo");
67 }), 1);
68 }, "SVG: 'nonce' DOM attribute present after current task.");
69 </script>
70 </svg>
71
39 <!-- CSS Leakage --> 72 <!-- CSS Leakage -->
40 <style> 73 <style>
41 #test { display: block; } 74 #test { display: block; }
42 #test[nonce=abc] { background: url(/security/resources/abe.png); } 75 #test[nonce=abc] { background: url(/security/resources/abe.png); }
43 </style> 76 </style>
44 <script nonce="abc"> 77 <script nonce="abc">
45 var css_test = async_test(t => { 78 var css_test = async_test(t => {
46 document.addEventListener('securitypolicyviolation', e => { 79 document.addEventListener('securitypolicyviolation', e => {
47 assert_unreached("No image should be requested via CSS."); 80 assert_unreached("No image should be requested via CSS.");
48 }); 81 });
49 }, "Nonces don't leak via CSS side-channels."); 82 }, "Nonces don't leak via CSS side-channels.");
50 </script> 83 </script>
51 <script id="test" nonce="abc"> 84 <script id="test" nonce="abc">
52 window.onload = e => { 85 window.onload = e => {
53 css_test.done(); 86 css_test.done();
54 }; 87 };
55 </script> 88 </script>
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698