Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html

Issue 2801243002: More tweaks to <script nonce> hiding. (Closed)
Patch Set: Moved tests. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <script src="/resources/testharness.js"></script>
3 <script src="/resources/testharnessreport.js"></script>
4
5 <meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img- src 'none'">
6
7 <body>
8 <!-- Basics -->
9 <script nonce="abc" id="testScript">
10 document.currentScript.setAttribute('executed', 'yay');
11 </script>
12
13 <script nonce="abc">
14 var script = document.querySelector('#testScript');
15
16 test(t => {
17 // Query Selector
18 assert_equals(document.querySelector('body [nonce]'), script);
19 assert_equals(document.querySelector('body [nonce=""]'), null);
20 assert_equals(document.querySelector('body [nonce=abc]'), script);
21
22 assert_equals(script.getAttribute('nonce'), 'abc');
23 assert_equals(script.nonce, 'abc');
24 }, "Reading 'nonce' content attribute and IDL attribute.");
25
26 // Clone node.
27 test(t => {
28 script.setAttribute('executed', 'boo');
29 var s2 = script.cloneNode();
30 assert_equals(s2.nonce, 'abc', 'IDL attribute');
31 assert_equals(s2.getAttribute('nonce'), 'abc');
32 }, "Cloned node retains nonce.");
33
34 async_test(t => {
35 var s2 = script.cloneNode();
36 document.head.appendChild(s2);
37 window.addEventListener('load', t.step_func_done(_ => {
38 assert_equals(s2.nonce, 'abc');
39 assert_equals(s2.getAttribute('nonce'), 'abc');
40
41 // The cloned script won't execute, as its 'already started' flag is set .
42 assert_equals(s2.getAttribute('executed'), 'boo');
43 }));
44 }, "Cloned node retains nonce when inserted.");
45
46 // Set the content attribute to 'foo'
47 test(t => {
48 script.setAttribute('nonce', 'foo');
49 assert_equals(script.getAttribute('nonce'), 'foo');
50 assert_equals(script.nonce, 'abc');
51 }, "Writing 'nonce' content attribute.");
52
53 // Set the IDL attribute to 'bar'
54 test(t => {
55 script.nonce = 'bar';
56 assert_equals(script.nonce, 'bar');
57 assert_equals(script.getAttribute('nonce'), 'foo');
58 }, "Writing 'nonce' IDL attribute.");
59
60 // Fragment parser.
61 var documentWriteTest = async_test("Document-written script executes.");
62 document.write(`<script nonce='abc'>
63 documentWriteTest.done();
64 test(t => {
65 var script = document.currentScript;
66 assert_equals(script.getAttribute('nonce'), 'abc');
67 assert_equals(script.nonce, 'abc');
68 }, "Document-written script's nonce value.");
69 </scr` + `ipt>`);
70
71 // Create node.
72 async_test(t => {
73 var s = document.createElement('script');
74 s.innerText = script.innerText;
75 s.nonce = 'abc';
76 document.head.appendChild(s);
77
78 window.addEventListener('load', t.step_func_done(_ => {
79 assert_equals(s.nonce, 'abc');
80 assert_equals(s.getAttribute('nonce'), null);
81 assert_equals(s.getAttribute('executed'), 'yay');
82 }));
83 }, "createElement.nonce.");
84
85 // Create node.
86 async_test(t => {
87 var s = document.createElement('script');
88 s.innerText = script.innerText;
89 s.setAttribute('nonce', 'abc');
90 assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content");
91 assert_equals(s.nonce, '', "Pre-insertion IDL");
92 document.head.appendChild(s);
93
94 window.addEventListener('load', t.step_func_done(_ => {
95 assert_equals(s.nonce, 'abc', "Post-insertion IDL");
96 assert_equals(s.getAttribute('nonce'), 'abc', "Post-insertion content");
97 assert_equals(s.getAttribute('executed'), 'yay');
98 }));
99 }, "createElement.setAttribute.");
100 </script>
101
102 <!-- CSS Leakage -->
103 <style>
104 #cssTest { display: block; }
105 #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
106 </style>
107 <script nonce="abc" id="cssTest">
108 async_test(t => {
109 requestAnimationFrame(t.step_func_done(_ => {
110 var script = document.querySelector('#cssTest');
111 var style = getComputedStyle(script);
112 assert_equals(style['display'], 'block');
113 assert_equals(style['background-image'], "url(\"http://web-platform.test :8001/security/resources/abe.png\")");
114 }));
115 }, "Nonces leak via CSS side-channels.");
116 </script>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698