Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(59)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden.html

Issue 2801243002: More tweaks to <script nonce> hiding. (Closed)
Patch Set: Moved tests. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden-meta.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <script src="/resources/testharness.js" nonce="abc"></script>
3 <script src="/resources/testharnessreport.js" nonce="abc"></script>
4
5 <!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers -->
6
7 <body>
8 <!-- Basics -->
9 <svg xmlns="http://www.w3.org/2000/svg">
10 <script nonce="abc" id="testScript">
11 document.currentScript.setAttribute('executed', 'yay');
12 </script>
13 </svg>
14
15 <script nonce="abc">
16 var script = document.querySelector('#testScript');
17
18 test(t => {
19 // Query Selector
20 assert_equals(document.querySelector('body [nonce]'), script);
21 assert_equals(document.querySelector('body [nonce=""]'), script);
22 assert_equals(document.querySelector('body [nonce=abc]'), null);
23
24 assert_equals(script.getAttribute('nonce'), '');
25 assert_equals(script.nonce, 'abc');
26 }, "Reading 'nonce' content attribute and IDL attribute.");
27
28 // Clone node.
29 test(t => {
30 script.setAttribute('executed', 'boo');
31 var s2 = script.cloneNode();
32 assert_equals(s2.nonce, 'abc', 'IDL attribute');
33 assert_equals(s2.getAttribute('nonce'), '');
34 }, "Cloned node retains nonce.");
35
36 async_test(t => {
37 var s2 = script.cloneNode();
38 document.head.appendChild(s2);
39 window.addEventListener('load', t.step_func_done(_ => {
40 assert_equals(s2.nonce, 'abc');
41 assert_equals(s2.getAttribute('nonce'), '');
42
43 // The cloned script won't execute, as its 'already started' flag is set .
44 assert_equals(s2.getAttribute('executed'), 'boo');
45 }));
46 }, "Cloned node retains nonce when inserted.");
47
48 // Set the content attribute to 'foo'
49 test(t => {
50 script.setAttribute('nonce', 'foo');
51 assert_equals(script.getAttribute('nonce'), 'foo');
52 assert_equals(script.nonce, 'abc');
53 }, "Writing 'nonce' content attribute.");
54
55 // Set the IDL attribute to 'bar'
56 test(t => {
57 script.nonce = 'bar';
58 assert_equals(script.nonce, 'bar');
59 assert_equals(script.getAttribute('nonce'), 'foo');
60 }, "Writing 'nonce' IDL attribute.");
61
62 // Fragment parser.
63 var documentWriteTest = async_test("Document-written script executes.");
64 document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
65 documentWriteTest.done();
66 test(t => {
67 var script = document.currentScript;
68 assert_equals(script.getAttribute('nonce'), '');
69 assert_equals(script.nonce, 'abc');
70 }, "Document-written script's nonce value.");
71 </scr` + `ipt></svg>`);
72
73 // Create node.
74 async_test(t => {
75 var s = document.createElement('svg');
76 var innerScript = document.createElement('script');
77 innerScript.innerText = script.innerText;
78 innerScript.nonce = 'abc';
79 s.appendChild(innerScript);
80 document.body.appendChild(s);
81
82 window.addEventListener('load', t.step_func_done(_ => {
83 assert_equals(innerScript.nonce, 'abc');
84 assert_equals(innerScript.getAttribute('nonce'), null);
85 }));
86 }, "createElement.nonce.");
87
88 // Create node.
89 async_test(t => {
90 var s = document.createElement('svg');
91 var innerScript = document.createElement('script');
92 innerScript.innerText = script.innerText;
93 innerScript.setAttribute('nonce', 'abc');
94 assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion con tent");
95 assert_equals(innerScript.nonce, '', "Pre-insertion IDL");
96 s.appendChild(innerScript);
97 document.body.appendChild(s);
98
99 window.addEventListener('load', t.step_func_done(_ => {
100 assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
101 assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion con tent");
102 }));
103 }, "createElement.setAttribute.");
104 </script>
105
106 <!-- CSS Leakage -->
107 <style>
108 #cssTest { display: block; }
109 #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
110 </style>
111 <svg xmlns="http://www.w3.org/2000/svg">
112 <script nonce="abc" id="cssTest">
113 async_test(t => {
114 requestAnimationFrame(t.step_func_done(_ => {
115 var script = document.querySelector('#cssTest');
116 var style = getComputedStyle(script);
117 assert_equals(style['display'], 'block');
118 assert_equals(style['background-image'], 'none');
119 }));
120 }, "Nonces don't leak via CSS side-channels.");
121 </script>
122 </svg>
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/svgscript-nonces-hidden-meta.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698