| Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
|
| diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..94490de1b465cfa683ee560147c4f80426d8bec4
|
| --- /dev/null
|
| +++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html
|
| @@ -0,0 +1,61 @@
|
| +<!DOCTYPE HTML>
|
| +<html>
|
| +
|
| +<head>
|
| + <title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
|
| + <script src='/resources/testharness.js' nonce='dummy'></script>
|
| + <script src='/resources/testharnessreport.js' nonce='dummy'></script>
|
| +
|
| + <!-- CSP served:
|
| + 1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
|
| + 2) Content-Security-Policy: script-src 'self' 'nonce-dummy'
|
| + -->
|
| +</head>
|
| +
|
| +<body>
|
| + <h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
|
| + <div id='log'></div>
|
| +
|
| + <script nonce='dummy'>
|
| + async_test(function(t) {
|
| + window.addEventListener('message', t.step_func(function(e) {
|
| + if (e.data === 'whitelisted-appendChild') {
|
| + t.done();
|
| + }
|
| + }));
|
| + window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
|
| + if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') {
|
| + return;
|
| + }
|
| + assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
|
| + }));
|
| +
|
| + var e = document.createElement('script');
|
| + e.id = 'whitelisted-appendChild';
|
| + e.src = 'simpleSourcedScript.js?' + e.id;
|
| + e.onerror = t.unreached_func('Error should not be triggered.');
|
| + document.body.appendChild(e);
|
| + }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
|
| + </script>
|
| +
|
| + <script nonce='dummy'>
|
| + async_test(function(t) {
|
| + window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
|
| + if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
|
| + return;
|
| + }
|
| + assert_equals(violation.effectiveDirective, 'script-src');
|
| + assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
|
| + t.done();
|
| + }));
|
| +
|
| + var e = document.createElement('script');
|
| + e.id = 'nonWhitelisted-appendChild';
|
| + e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
|
| + e.onload = t.unreached_func('OnLoad should not be triggered.');
|
| + document.body.appendChild(e);
|
| + }, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.');
|
| + </script>
|
| +</body>
|
| +
|
| +</html>
|
|
|
Chromium Code Reviews
Issue 2704543002:
Import wpt@3bd204d7e86fd81e98e63f4ce59b95d98bad1c54 (Closed)
