Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
As specified in whatwg/html#2373.
- Loading branch information
Showing
1 changed file
with
114 additions
and
0 deletions.
There are no files selected for viewing
114 changes: 114 additions & 0 deletions
114
content-security-policy/script-src/script-nonces-hidden.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| <!DOCTYPE html> | ||
| <script src="/resources/testharness.js"></script> | ||
| <script src="/resources/testharnessreport.js"></script> | ||
|
|
||
| <meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'"> | ||
|
|
||
| <body> | ||
| <!-- Basics --> | ||
| <script nonce="abc" id="testScript"> | ||
| document.currentScript.setAttribute('executed', 'yay'); | ||
| </script> | ||
|
|
||
| <script nonce="abc"> | ||
| var script = document.querySelector('#testScript'); | ||
|
|
||
| test(t => { | ||
| // Query Selector | ||
| assert_equals(document.querySelector('[nonce]'), script); | ||
| assert_equals(document.querySelector('[nonce=""]'), script); | ||
| assert_equals(document.querySelector('[nonce=abc]'), null); | ||
|
|
||
| assert_equals(script.getAttribute('nonce'), ''); | ||
| assert_equals(script.nonce, 'abc'); | ||
| }, "HTML: Reading 'nonce' content attribute and IDL attribute."); | ||
|
|
||
| // Clone node. | ||
| test(t => { | ||
| script.setAttribute('executed', 'boo'); | ||
| var s2 = script.cloneNode(); | ||
| assert_equals(s2.nonce, 'abc', 'IDL attribute'); | ||
| assert_equals(s2.getAttribute('nonce'), ''); | ||
| }, "HTML: Cloned node retains nonce."); | ||
|
|
||
| async_test(t => { | ||
| var s2 = script.cloneNode(); | ||
| document.head.appendChild(s2); | ||
| window.addEventListener('load', t.step_func_done(_ => { | ||
| assert_equals(s2.nonce, 'abc'); | ||
| assert_equals(s2.getAttribute('nonce'), ''); | ||
|
|
||
| // The cloned script won't execute, as its 'already started' flag is set. | ||
| assert_equals(s2.getAttribute('executed'), 'boo'); | ||
| })); | ||
| }, "HTML: Cloned node retains nonce when inserted."); | ||
|
|
||
| // Set the content attribute to 'foo' | ||
| test(t => { | ||
| script.setAttribute('nonce', 'foo'); | ||
| assert_equals(script.getAttribute('nonce'), 'foo'); | ||
| assert_equals(script.nonce, 'abc'); | ||
| }, "HTML: Writing 'nonce' content attribute."); | ||
|
|
||
| // Set the IDL attribute to 'bar' | ||
| test(t => { | ||
| script.nonce = 'bar'; | ||
| assert_equals(script.nonce, 'bar'); | ||
| assert_equals(script.getAttribute('nonce'), 'foo'); | ||
| }, "HTML: Writing 'nonce' IDL attribute."); | ||
|
|
||
| // Fragment parser. | ||
| var documentWriteTest = async_test("Document-written script executes."); | ||
| document.write(`<script nonce='abc'> | ||
| documentWriteTest.done(); | ||
| test(t => { | ||
| var script = document.currentScript; | ||
| assert_equals(script.getAttribute('nonce'), ''); | ||
| assert_equals(script.nonce, 'abc'); | ||
| }, "HTML: Document-written script's nonce value."); | ||
| </scr` + `ipt>`); | ||
|
|
||
| // Create node. | ||
| async_test(t => { | ||
| var s = document.createElement('script'); | ||
| s.innerText = script.innerText; | ||
| s.nonce = 'abc'; | ||
| document.head.appendChild(s); | ||
|
|
||
| window.addEventListener('load', t.step_func_done(_ => { | ||
| assert_equals(s.nonce, 'abc'); | ||
| assert_equals(s.getAttribute('nonce'), null); | ||
| assert_equals(s.getAttribute('executed'), 'yay'); | ||
| })); | ||
| }, "HTML: createElement.nonce."); | ||
|
|
||
| // Create node. | ||
| async_test(t => { | ||
| var s = document.createElement('script'); | ||
| s.innerText = script.innerText; | ||
| s.setAttribute('nonce', 'abc'); | ||
| assert_equals(s.getAttribute('nonce'), 'abc', "Pre-insertion content"); | ||
| assert_equals(s.nonce, '', "Pre-insertion IDL"); | ||
| document.head.appendChild(s); | ||
|
|
||
| window.addEventListener('load', t.step_func_done(_ => { | ||
| assert_equals(s.nonce, 'abc', "Post-insertion IDL"); | ||
| assert_equals(s.getAttribute('nonce'), '', "Post-insertion content"); | ||
| assert_equals(s.getAttribute('executed'), 'yay'); | ||
| })); | ||
| }, "HTML: createElement.setAttribute."); | ||
| </script> | ||
|
|
||
| <!-- CSS Leakage --> | ||
| <style> | ||
| #cssTest { display: block; } | ||
| #cssTest[nonce=abc] { background: url(/security/resources/abe.png); } | ||
| </style> | ||
| <script nonce="abc" id="cssTest"> | ||
| var css_test = async_test(t => { | ||
| document.addEventListener('securitypolicyviolation', e => { | ||
| assert_unreached("No image should be requested via CSS."); | ||
| }); | ||
| }, "Nonces don't leak via CSS side-channels."); | ||
| requestAnimationFrame(css_test.step_func_done()); | ||
| </script> |