Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(355)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html

Issue 2801243002: More tweaks to <script nonce> hiding. (Closed)
Patch Set: Moved tests. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html
new file mode 100644
index 0000000000000000000000000000000000000000..812e50dfb9147b6db41bd57b4c8f67ed456c7628
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden-meta.html
@@ -0,0 +1,116 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'">
+
+<body>
+<!-- Basics -->
+<script nonce="abc" id="testScript">
+ document.currentScript.setAttribute('executed', 'yay');
+</script>
+
+<script nonce="abc">
+ var script = document.querySelector('#testScript');
+
+ test(t => {
+ // Query Selector
+ assert_equals(document.querySelector('body [nonce]'), script);
+ assert_equals(document.querySelector('body [nonce=""]'), null);
+ assert_equals(document.querySelector('body [nonce=abc]'), script);
+
+ assert_equals(script.getAttribute('nonce'), 'abc');
+ assert_equals(script.nonce, 'abc');
+ }, "Reading 'nonce' content attribute and IDL attribute.");
+
+ // Clone node.
+ test(t => {
+ script.setAttribute('executed', 'boo');
+ var s2 = script.cloneNode();
+ assert_equals(s2.nonce, 'abc', 'IDL attribute');
+ assert_equals(s2.getAttribute('nonce'), 'abc');
+ }, "Cloned node retains nonce.");
+
+ async_test(t => {
+ var s2 = script.cloneNode();
+ document.head.appendChild(s2);
+ window.addEventListener('load', t.step_func_done(_ => {
+ assert_equals(s2.nonce, 'abc');
+ assert_equals(s2.getAttribute('nonce'), 'abc');
+
+ // The cloned script won't execute, as its 'already started' flag is set.
+ assert_equals(s2.getAttribute('executed'), 'boo');
+ }));
+ }, "Cloned node retains nonce when inserted.");
+
+ // Set the content attribute to 'foo'
+ test(t => {
+ script.setAttribute('nonce', 'foo');
+ assert_equals(script.getAttribute('nonce'), 'foo');
+ assert_equals(script.nonce, 'abc');
+ }, "Writing 'nonce' content attribute.");
+
+ // Set the IDL attribute to 'bar'
+ test(t => {
+ script.nonce = 'bar';
+ assert_equals(script.nonce, 'bar');
+ assert_equals(script.getAttribute('nonce'), 'foo');
+ }, "Writing 'nonce' IDL attribute.");
+
+ // Fragment parser.
+ var documentWriteTest = async_test("Document-written script executes.");
+ document.write(`<script nonce='abc'>
+ documentWriteTest.done();
+ test(t => {
+ var script = document.currentScript;
+ assert_equals(script.getAttribute('nonce'), 'abc');
+ assert_equals(script.nonce, 'abc');
+ }, "Document-written script's nonce value.");
+ </scr` + `ipt>`);
+
+ // Create node.
+ async_test(t => {
+ var s = document.createElement('script');
+ s.innerText = script.innerText;
+ s.nonce = 'abc';
+ document.head.appendChild(s);
+
+ window.addEventListener('load', t.step_func_done(_ => {
+ assert_equals(s.nonce, 'abc');
+ assert_equals(s.getAttribute('nonce'), null);
+ assert_equals(s.getAttribute('executed'), 'yay');
+ }));
+ }, "createElement.nonce.");
+
+ // Create node.
+ async_test(t => {
+ var s = document.createElement('script');
+ s.innerText = script.innerText;
+ s.setAttribute('nonce', 'abc');
+ assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content");
+ assert_equals(s.nonce, '', "Pre-insertion IDL");
+ document.head.appendChild(s);
+
+ window.addEventListener('load', t.step_func_done(_ => {
+ assert_equals(s.nonce, 'abc', "Post-insertion IDL");
+ assert_equals(s.getAttribute('nonce'), 'abc', "Post-insertion content");
+ assert_equals(s.getAttribute('executed'), 'yay');
+ }));
+ }, "createElement.setAttribute.");
+</script>
+
+<!-- CSS Leakage -->
+<style>
+ #cssTest { display: block; }
+ #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
+</style>
+<script nonce="abc" id="cssTest">
+ async_test(t => {
+ requestAnimationFrame(t.step_func_done(_ => {
+ var script = document.querySelector('#cssTest');
+ var style = getComputedStyle(script);
+ assert_equals(style['display'], 'block');
+ assert_equals(style['background-image'], "url(\"http://web-platform.test:8001/security/resources/abe.png\")");
+ }));
+ }, "Nonces leak via CSS side-channels.");
+</script>
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/_unapproved/script-nonces-hidden.html.headers » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698