Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html

Issue 2801243002: More tweaks to <script nonce> hiding. (Closed)
Patch Set: Moved tests. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <script src="/resources/testharness.js" nonce="abc"></script>
3 <script src="/resources/testharnessreport.js" nonce="abc"></script>
4
5 <!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers -->
6
7 <body>
8 <!-- Basics -->
9 <script nonce="abc" id="testScript">
10 document.currentScript.setAttribute('executed', 'yay');
11 </script>
12
13 <script nonce="abc">
14 var script = document.querySelector('#testScript');
15
16 test(t => {
17 // Query Selector
18 assert_equals(document.querySelector('body [nonce]'), script);
19 assert_equals(document.querySelector('body [nonce=""]'), script);
20 assert_equals(document.querySelector('body [nonce=abc]'), null);
21
22 assert_equals(script.getAttribute('nonce'), '');
23 assert_equals(script.nonce, 'abc');
24 }, "Reading 'nonce' content attribute and IDL attribute.");
25
26 // Clone node.
27 test(t => {
28 script.setAttribute('executed', 'boo');
29 var s2 = script.cloneNode();
30 assert_equals(s2.nonce, 'abc', 'IDL attribute');
31 assert_equals(s2.getAttribute('nonce'), '');
32 }, "Cloned node retains nonce.");
33
34 async_test(t => {
35 var s2 = script.cloneNode();
36 document.head.appendChild(s2);
37 window.addEventListener('load', t.step_func_done(_ => {
38 assert_equals(s2.nonce, 'abc');
39 assert_equals(s2.getAttribute('nonce'), '');
40
41 // The cloned script won't execute, as its 'already started' flag is set .
42 assert_equals(s2.getAttribute('executed'), 'boo');
43 }));
44 }, "Cloned node retains nonce when inserted.");
45
46 // Set the content attribute to 'foo'
47 test(t => {
48 script.setAttribute('nonce', 'foo');
49 assert_equals(script.getAttribute('nonce'), 'foo');
50 assert_equals(script.nonce, 'abc');
51 }, "Writing 'nonce' content attribute.");
52
53 // Set the IDL attribute to 'bar'
54 test(t => {
55 script.nonce = 'bar';
56 assert_equals(script.nonce, 'bar');
57 assert_equals(script.getAttribute('nonce'), 'foo');
58 }, "Writing 'nonce' IDL attribute.");
59
60 // Fragment parser.
61 var documentWriteTest = async_test("Document-written script executes.");
62 document.write(`<script nonce='abc'>
63 documentWriteTest.done();
64 test(t => {
65 var script = document.currentScript;
66 assert_equals(script.getAttribute('nonce'), '');
67 assert_equals(script.nonce, 'abc');
68 }, "Document-written script's nonce value.");
69 </scr` + `ipt>`);
70
71 // Create node.
72 async_test(t => {
73 var s = document.createElement('script');
74 s.innerText = script.innerText;
75 s.nonce = 'abc';
76 document.head.appendChild(s);
77
78 window.addEventListener('load', t.step_func_done(_ => {
79 assert_equals(s.nonce, 'abc');
80 assert_equals(s.getAttribute('nonce'), null);
81 }));
82 }, "createElement.nonce.");
83
84 // Create node.
85 async_test(t => {
86 var s = document.createElement('script');
87 s.innerText = script.innerText;
88 s.setAttribute('nonce', 'abc');
89 assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content");
90 assert_equals(s.nonce, '', "Pre-insertion IDL");
91 document.head.appendChild(s);
92
93 window.addEventListener('load', t.step_func_done(_ => {
94 assert_equals(s.nonce, 'abc', "Post-insertion IDL");
95 assert_equals(s.getAttribute('nonce'), '', "Post-insertion content");
96 }));
97 }, "createElement.setAttribute.");
98 </script>
99
100 <!-- CSS Leakage -->
101 <style>
102 #cssTest { display: block; }
103 #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
104 </style>
105 <script nonce="abc" id="cssTest">
106 async_test(t => {
107 requestAnimationFrame(t.step_func_done(_ => {
108 var script = document.querySelector('#cssTest');
109 var style = getComputedStyle(script);
110 assert_equals(style['display'], 'block');
111 assert_equals(style['background-image'], 'none');
112 }));
113 }, "Nonces don't leak via CSS side-channels.");
114 </script>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698