Skip to content

Commit

Permalink
Bug 1616251 [wpt PR 21853] - nonce attribute: no longer tentative, a=…
Browse files Browse the repository at this point in the history 
…testonly

Automatic update from web-platform-tests
nonce attribute: no longer tentative

For whatwg/html#5300.

Supersedes #5423
--

wpt-commits: 2ca72d0f4b39e6007ae10e78d25f352dab56b2d2
wpt-pr: 21853


--HG--
rename : testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers => testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers
rename : testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers => testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers
  • Loading branch information
@annevk @moz-wptsync-bot
annevk authored and moz-wptsync-bot committed Feb 24, 2020
1 parent 205bea2 commit 979c583
Show file tree
Hide file tree
Showing 8 changed files with 49 additions and 50 deletions.
32 changes: 32 additions & 0 deletions testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html
View file
@@ -0,0 +1,32 @@
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<div id=log></div>
<script>
[["meh", ""],
["div", ""],
["script", ""],
["meh", "http://www.w3.org/2000/svg"],
["svg", "http://www.w3.org/2000/svg"], ,
["script", "http://www.w3.org/2000/svg"]].forEach(([localName, namespace]) => {
test(t => {
const element = namespace === "" ? document.createElement(localName) : document.createElementNS(namespace, localName);
t.add_cleanup(() => element.remove());
assert_equals(element.nonce, "", "Initial IDL attribute value");
element.setAttribute("nonce", "x");
assert_equals(element.nonce, "x", "IDL attribute is modified after content attribute set");
assert_equals(element.getAttribute("nonce"), "x", "Content attribute is modified after content attribute set");
document.body.appendChild(element);
assert_equals(element.nonce, "x", "IDL attribute is unchanged after element insertion");
assert_equals(element.getAttribute("nonce"), "", "Content attribute is changed after element insertion");
}, `Basic nonce tests for ${localName} in ${namespace === "" ? "HTML" : "SVG"} namespace`);

test(t => {
const element = namespace === "" ? document.createElement(localName) : document.createElementNS(namespace, localName);
element.setAttribute("nonce", "x");
assert_equals(element.nonce, "x", "IDL attribute is modified after content attribute set");
element.removeAttribute("nonce");
assert_equals(element.nonce, "", "IDL attribute is empty after content attribute removal");
}, `Ensure that removal of content attribute does not affect IDL attribute for ${localName} in ${namespace === "" ? "HTML" : "SVG"} namespace`);
});
</script>
1 change: 1 addition & 0 deletions testing/web-platform/tests/content-security-policy/nonce-hiding/nonces.html.headers
View file
@@ -0,0 +1 @@
Content-Security-Policy: img-src 'none'
15 changes: 8 additions & 7 deletions ...ipt-nonces-hidden-meta.tentative.sub.html → ...hiding/script-nonces-hidden-meta.sub.html
View file
Expand Up @@ -72,6 +72,8 @@
var s = document.createElement('script');
s.innerText = script.innerText;
s.nonce = 'abc';
assert_equals(s.nonce, 'abc');
assert_equals(s.getAttribute('nonce'), null);
document.head.appendChild(s);
assert_equals(s.nonce, 'abc');
assert_equals(s.getAttribute('nonce'), null);
Expand Down Expand Up @@ -119,12 +121,11 @@
#cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
</style>
<script nonce="abc" id="cssTest">
async_test(t => {
requestAnimationFrame(t.step_func_done(_ => {
var script = document.querySelector('#cssTest');
var style = getComputedStyle(script);
assert_equals(style['display'], 'block');
assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
}));
test(t => {
const script = document.querySelector('#cssTest');
t.add_cleanup(() => script.remove());
var style = getComputedStyle(script);
assert_equals(style['display'], 'block');
assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
}, "Nonces leak via CSS side-channels.");
</script>
15 changes: 8 additions & 7 deletions ...iding/script-nonces-hidden.tentative.html → ...cy/nonce-hiding/script-nonces-hidden.html
View file
Expand Up @@ -73,6 +73,8 @@
var s = document.createElement('script');
s.innerText = script.innerText;
s.nonce = 'abc';
assert_equals(s.nonce, 'abc');
assert_equals(s.getAttribute('nonce'), null);
document.head.appendChild(s);
assert_equals(s.nonce, 'abc');
assert_equals(s.getAttribute('nonce'), null);
Expand Down Expand Up @@ -160,12 +162,11 @@
#cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
</style>
<script nonce="abc" id="cssTest">
async_test(t => {
requestAnimationFrame(t.step_func_done(_ => {
var script = document.querySelector('#cssTest');
var style = getComputedStyle(script);
assert_equals(style['display'], 'block');
assert_equals(style['background-image'], 'none');
}));
test(t => {
const script = document.querySelector('#cssTest');
t.add_cleanup(() => script.remove());
var style = getComputedStyle(script);
assert_equals(style['display'], 'block');
assert_equals(style['background-image'], 'none');
}, "Nonces don't leak via CSS side-channels.");
</script>
0 ...ript-nonces-hidden.tentative.html.headers → ...-hiding/script-nonces-hidden.html.headers
View file
File renamed without changes.
18 changes: 0 additions & 18 deletions ...ipt-nonces-hidden-meta.tentative.sub.html → ...ing/svgscript-nonces-hidden-meta.sub.html
View file
Expand Up @@ -96,21 +96,3 @@
assert_equals(innerScript.getAttribute('nonce'), 'abc', "Post-insertion content");
}, "createElement.setAttribute.");
</script>

<!-- CSS Leakage -->
<style>
#cssTest { display: block; }
#cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
</style>
<svg xmlns="http://www.w3.org/2000/svg">
<script nonce="abc" id="cssTest">
async_test(t => {
requestAnimationFrame(t.step_func_done(_ => {
var script = document.querySelector('#cssTest');
var style = getComputedStyle(script);
assert_equals(style['display'], 'block');
assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
}));
}, "Nonces don't leak via CSS side-channels.");
</script>
</svg>
18 changes: 0 additions & 18 deletions ...ng/svgscript-nonces-hidden.tentative.html → ...nonce-hiding/svgscript-nonces-hidden.html
View file
Expand Up @@ -96,21 +96,3 @@
assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion content");
}, "createElement.setAttribute.");
</script>

<!-- CSS Leakage -->
<style>
#cssTest { display: block; }
#cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
</style>
<svg xmlns="http://www.w3.org/2000/svg">
<script nonce="abc" id="cssTest">
async_test(t => {
requestAnimationFrame(t.step_func_done(_ => {
var script = document.querySelector('#cssTest');
var style = getComputedStyle(script);
assert_equals(style['display'], 'block');
assert_equals(style['background-image'], 'none');
}));
}, "Nonces don't leak via CSS side-channels.");
</script>
</svg>
0 ...ript-nonces-hidden.tentative.html.headers → ...ding/svgscript-nonces-hidden.html.headers
View file
File renamed without changes.

0 comments on commit 979c583

Please sign in to comment.