OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE HTML> |
| 2 <html> |
| 3 |
| 4 <head> |
| 5 <title>Parser-inserted scripts without a correct nonce are not allowed with
`strict-dynamic` in the script-src directive.</title> |
| 6 <script src='/resources/testharness.js' nonce='dummy'></script> |
| 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> |
| 8 |
| 9 <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' --> |
| 10 </head> |
| 11 |
| 12 <body> |
| 13 <h1>Parser-inserted scripts without a correct nonce are not allowed with `st
rict-dynamic` in the script-src directive.</h1> |
| 14 <div id='log'></div> |
| 15 |
| 16 <script nonce='dummy'> |
| 17 async_test(function(t) { |
| 18 window.addEventListener('message', t.step_func(function(e) { |
| 19 if (e.data === 'documentWrite') { |
| 20 assert_unreached('Parser-inserted script via `document.write
` without a correct nonce is not allowed with `strict-dynamic`.'); |
| 21 } |
| 22 })); |
| 23 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 24 if (violation.blockedURI.split('?')[1] !== 'documentWrite') { |
| 25 return; |
| 26 } |
| 27 assert_equals(violation.effectiveDirective, 'script-src'); |
| 28 t.done(); |
| 29 })); |
| 30 |
| 31 document.write('<scr' + 'ipt id="documentWrite" src="simpleSourcedSc
ript.js?documentWrite"></scr' + 'ipt>'); |
| 32 }, 'Parser-inserted script via `document.write` without a correct nonce
is not allowed with `strict-dynamic`.'); |
| 33 </script> |
| 34 |
| 35 <script nonce='dummy'> |
| 36 async_test(function(t) { |
| 37 window.addEventListener('message', t.step_func(function(e) { |
| 38 if (e.data === 'documentWriteln') { |
| 39 assert_unreached('Parser-inserted script via `document.write
ln` without a correct nonce is not allowed with `strict-dynamic`.'); |
| 40 } |
| 41 })); |
| 42 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 43 if (violation.blockedURI.split('?')[1] !== 'documentWriteln') { |
| 44 return; |
| 45 } |
| 46 assert_equals(violation.effectiveDirective, 'script-src'); |
| 47 t.done(); |
| 48 })); |
| 49 |
| 50 document.writeln('<scr' + 'ipt id="documentWriteln" src="simpleSourc
edScript.js?documentWriteln"></scr' + 'ipt>'); |
| 51 }, 'Parser-inserted script via `document.writeln` without a correct nonc
e is not allowed with `strict-dynamic`.'); |
| 52 </script> |
| 53 |
| 54 <script nonce='dummy'> |
| 55 async_test(function(t) { |
| 56 window.addEventListener('message', t.step_func(function(e) { |
| 57 if (e.data === 'documentWrite-deferred') { |
| 58 assert_unreached('Parser-inserted deferred script via `docum
ent.write` without a correct nonce is not allowed with `strict-dynamic`.'); |
| 59 } |
| 60 })); |
| 61 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 62 if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferr
ed') { |
| 63 return; |
| 64 } |
| 65 assert_equals(violation.effectiveDirective, 'script-src'); |
| 66 t.done(); |
| 67 })); |
| 68 |
| 69 document.write('<scr' + 'ipt defer id="documentWrite-deferred" src="
simpleSourcedScript.js?documentWrite-deferred"></scr' + 'ipt>'); |
| 70 }, 'Parser-inserted deferred script via `document.write` without a corre
ct nonce is not allowed with `strict-dynamic`.'); |
| 71 </script> |
| 72 |
| 73 <script nonce='dummy'> |
| 74 async_test(function(t) { |
| 75 window.addEventListener('message', t.step_func(function(e) { |
| 76 if (e.data === 'documentWriteln-deferred') { |
| 77 assert_unreached('Parser-inserted deferred script via `docum
ent.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); |
| 78 } |
| 79 })); |
| 80 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 81 if (violation.blockedURI.split('?')[1] !== 'documentWriteln-defe
rred') { |
| 82 return; |
| 83 } |
| 84 assert_equals(violation.effectiveDirective, 'script-src'); |
| 85 t.done(); |
| 86 })); |
| 87 |
| 88 document.writeln('<scr' + 'ipt defer id="documentWriteln-deferred" s
rc="simpleSourcedScript.js?documentWriteln-deferred"></scr' + 'ipt>'); |
| 89 }, 'Parser-inserted deferred script via `document.writeln` without a cor
rect nonce is not allowed with `strict-dynamic`.'); |
| 90 </script> |
| 91 |
| 92 <script nonce='dummy'> |
| 93 async_test(function(t) { |
| 94 window.addEventListener('message', t.step_func(function(e) { |
| 95 if (e.data === 'documentWrite-async') { |
| 96 assert_unreached('Parser-inserted async script via `document
.write` without a correct nonce is not allowed with `strict-dynamic`.'); |
| 97 } |
| 98 })); |
| 99 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 100 if (violation.blockedURI.split('?')[1] !== 'documentWrite-async'
) { |
| 101 return; |
| 102 } |
| 103 assert_equals(violation.effectiveDirective, 'script-src'); |
| 104 t.done(); |
| 105 })); |
| 106 |
| 107 document.write('<scr' + 'ipt async id="documentWrite-async" src="sim
pleSourcedScript.js?documentWrite-async"></scr' + 'ipt>'); |
| 108 }, 'Parser-inserted async script via `document.write` without a correct
nonce is not allowed with `strict-dynamic`.'); |
| 109 </script> |
| 110 |
| 111 <script nonce='dummy'> |
| 112 async_test(function(t) { |
| 113 window.addEventListener('message', t.step_func(function(e) { |
| 114 if (e.data === 'documentWriteln-async') { |
| 115 assert_unreached('Parser-inserted async script via `document
.writeln` without a correct nonce is not allowed with `strict-dynamic`.'); |
| 116 } |
| 117 })); |
| 118 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 119 if (violation.blockedURI.split('?')[1] !== 'documentWriteln-asyn
c') { |
| 120 return; |
| 121 } |
| 122 assert_equals(violation.effectiveDirective, 'script-src'); |
| 123 t.done(); |
| 124 })); |
| 125 |
| 126 document.writeln('<scr' + 'ipt async id="documentWriteln-async" src=
"simpleSourcedScript.js?documentWriteln-async"></scr' + 'ipt>'); |
| 127 }, 'Parser-inserted async script via `document.writeln` without a correc
t nonce is not allowed with `strict-dynamic`.'); |
| 128 </script> |
| 129 |
| 130 <script nonce='dummy'> |
| 131 async_test(function(t) { |
| 132 window.addEventListener('message', t.step_func(function(e) { |
| 133 if (e.data === 'documentWrite-deferred-async') { |
| 134 assert_unreached('Parser-inserted deferred async script via
`document.write` without a correct nonce is not allowed with `strict-dynamic`.')
; |
| 135 } |
| 136 })); |
| 137 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 138 if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferr
ed-async') { |
| 139 return; |
| 140 } |
| 141 assert_equals(violation.effectiveDirective, 'script-src'); |
| 142 t.done(); |
| 143 })); |
| 144 |
| 145 document.write('<scr' + 'ipt defer async id="documentWrite-deferred-
async" src="simpleSourcedScript.js?documentWrite-deferred-async"></scr' + 'ipt>'
); |
| 146 }, 'Parser-inserted deferred async script via `document.write` without a
correct nonce is not allowed with `strict-dynamic`.'); |
| 147 </script> |
| 148 |
| 149 <script nonce='dummy'> |
| 150 async_test(function(t) { |
| 151 window.addEventListener('message', t.step_func(function(e) { |
| 152 if (e.data === 'documentWriteln-deferred-async') { |
| 153 assert_unreached('Parser-inserted deferred async script via
`document.writeln` without a correct nonce is not allowed with `strict-dynamic`.
'); |
| 154 } |
| 155 })); |
| 156 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 157 if (violation.blockedURI.split('?')[1] !== 'documentWriteln-defe
rred-async') { |
| 158 return; |
| 159 } |
| 160 assert_equals(violation.effectiveDirective, 'script-src'); |
| 161 t.done(); |
| 162 })); |
| 163 |
| 164 document.writeln('<scr' + 'ipt defer async id="documentWriteln-defer
red-async " src="simpleSourcedScript.js?documentWriteln-deferred-async "></scr'
+ 'ipt>'); |
| 165 }, 'Parser-inserted deferred async script via `document.writeln` without
a correct nonce is not allowed with `strict-dynamic`.'); |
| 166 </script> |
| 167 |
| 168 <script nonce='dummy'> |
| 169 var innerHTMLScriptRan = false; |
| 170 async_test(function(t) { |
| 171 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 172 if (violation.target.id !== 'innerHTML') { |
| 173 return; |
| 174 } |
| 175 assert_false(innerHTMLScriptRan); |
| 176 assert_equals(violation.effectiveDirective, 'script-src'); |
| 177 t.done(); |
| 178 })); |
| 179 |
| 180 var e = document.createElement('div'); |
| 181 e.innerHTML = "<img id='innerHTML' src='/nonexisting.jpg' onerror='i
nnerHTMLScriptRan = true;' style='display:none'>"; |
| 182 document.body.appendChild(e); |
| 183 }, 'Script injected via `innerHTML` is not allowed with `strict-dynamic`
.'); |
| 184 </script> |
| 185 |
| 186 <script nonce='dummy'> |
| 187 var insertAdjacentHTMLScriptRan = false; |
| 188 async_test(function(t) { |
| 189 window.addEventListener('securitypolicyviolation', t.step_func(funct
ion(violation) { |
| 190 if (violation.target.id !== 'insertAdjacentHTML') { |
| 191 return; |
| 192 } |
| 193 assert_false(insertAdjacentHTMLScriptRan); |
| 194 assert_equals(violation.effectiveDirective, 'script-src'); |
| 195 t.done(); |
| 196 })); |
| 197 |
| 198 var e = document.createElement('div'); |
| 199 e.insertAdjacentHTML('afterbegin', "<img id='insertAdjacentHTML' src
='/nonexisting.jpg' onerror='insertAdjacentHTMLScriptRan = true;' style='display
:none'>"); |
| 200 document.body.appendChild(e); |
| 201 }, 'Script injected via `insertAdjacentHTML` is not allowed with `strict
-dynamic`.'); |
| 202 </script> |
| 203 </body> |
| 204 |
| 205 </html> |
OLD | NEW |