| Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html
|
| diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..fa38b65a23851ce17629538234303afddf76c007
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_meta_tag.html
|
| @@ -0,0 +1,76 @@
|
| +<!DOCTYPE HTML>
|
| +<html>
|
| +
|
| +<head>
|
| + <title>A `strict-dynamic` policy can be served in a META tag.</title>
|
| + <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-dummy'">
|
| + <script src='/resources/testharness.js' nonce='dummy'></script>
|
| + <script src='/resources/testharnessreport.js' nonce='dummy'></script>
|
| +
|
| + <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
|
| +</head>
|
| +
|
| +<body>
|
| + <h1>A `strict-dynamic` policy can be served in a META tag.</h1>
|
| + <div id='log'></div>
|
| +
|
| + <script nonce='dummy'>
|
| + window.addEventListener('securitypolicyviolation', function(e) {
|
| + assert_unreached('No CSP violation report has fired.');
|
| + });
|
| +
|
| + async_test(function(t) {
|
| + window.addEventListener('message', t.step_func(function(e) {
|
| + if (e.data === 'appendChild') {
|
| + t.done();
|
| + }
|
| + }));
|
| + var e = document.createElement('script');
|
| + e.id = 'appendChild';
|
| + e.src = 'simpleSourcedScript.js?' + e.id;
|
| + e.onerror = t.unreached_func('Error should not be triggered.');
|
| + document.body.appendChild(e);
|
| + }, 'Script injected via `appendChild` is allowed with `strict-dynamic`.');
|
| + </script>
|
| +
|
| + <script nonce='dummy'>
|
| + async_test(function(t) {
|
| + window.addEventListener('message', t.step_func(function(e) {
|
| + if (e.data === 'appendChild-incorrectNonce') {
|
| + t.done();
|
| + }
|
| + }));
|
| + var e = document.createElement('script');
|
| + e.id = 'appendChild-incorrectNonce';
|
| + e.src = 'simpleSourcedScript.js?' + e.id;
|
| + e.setAttribute('nonce', 'wrong');
|
| + e.onerror = t.unreached_func('Error should not be triggered.');
|
| + document.body.appendChild(e);
|
| + }, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
|
| + </script>
|
| +
|
| + <script nonce='dummy'>
|
| + async_test(function(t) {
|
| + window.appendChildViaTextContent = t.step_func_done();
|
| + var e = document.createElement('script');
|
| + e.id = 'appendChild-textContent';
|
| + e.textContent = "appendChildViaTextContent();";
|
| + e.onerror = t.unreached_func('Error should not be triggered.');
|
| + document.body.appendChild(e);
|
| + }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.');
|
| + </script>
|
| +
|
| + <script nonce='dummy'>
|
| + async_test(function(t) {
|
| + window.appendChildViaTextContentIncorrectNonce = t.step_func_done();
|
| + var e = document.createElement('script');
|
| + e.id = 'appendChild-textContent-incorrectNonce';
|
| + e.setAttribute('nonce', 'wrong');
|
| + e.textContent = "appendChildViaTextContentIncorrectNonce();";
|
| + e.onerror = t.unreached_func('Error should not be triggered.');
|
| + document.body.appendChild(e);
|
| + }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
|
| + </script>
|
| +</body>
|
| +
|
| +</html>
|
|
|
Chromium Code Reviews
Issue 2695813009:
Import wpt@503f5b5f78ec4e87d144f78609f363f0ed0ea8db (Closed)
