mirror of
https://github.com/servo/servo.git
synced 2025-07-13 02:13:40 +01:00
63 lines
2.8 KiB
HTML
63 lines
2.8 KiB
HTML
<!DOCTYPE html>
|
|
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'">
|
|
<script src="/resources/testharness.js" nonce="abc"></script>
|
|
<script src="/resources/testharnessreport.js" nonce="abc"></script>
|
|
<script nonce="abc">
|
|
var t = async_test("Unnonced scripts generate reports.");
|
|
var events = 0;
|
|
var firstLine = 38;
|
|
var expectations = {}
|
|
expectations[firstLine] = true;
|
|
expectations[firstLine + 3] = true;
|
|
expectations[firstLine + 6] = true;
|
|
expectations[firstLine + 9] = true;
|
|
expectations[firstLine + 12] = true;
|
|
expectations[firstLine + 15] = true;
|
|
expectations[firstLine + 18] = true;
|
|
expectations["/content-security-policy/support/nonce-should-be-blocked.js?1"] = true;
|
|
expectations["/content-security-policy/support/nonce-should-be-blocked.js?2"] = true;
|
|
expectations["/content-security-policy/support/nonce-should-be-blocked.js?3"] = true;
|
|
expectations["/content-security-policy/support/nonce-should-be-blocked.js?4"] = true;
|
|
expectations["/content-security-policy/support/nonce-should-be-blocked.js?5"] = true;
|
|
|
|
document.addEventListener('securitypolicyviolation', t.step_func(e => {
|
|
if (e.lineNumber) {
|
|
// Verify that the line is expected, then clear the expectation:
|
|
assert_true(expectations[e.lineNumber], "Line number: " + e.lineNumber);
|
|
assert_equals(e.blockedURI, "inline");
|
|
} else {
|
|
// Otherwise, verify that the URL is expected, then clear the expectation:
|
|
var url = new URL(e.blockedURI);
|
|
assert_true(expectations[url.pathname + url.search], "URL: " + e.blockedURI);
|
|
}
|
|
events++;
|
|
if (events == 12)
|
|
t.done();
|
|
}));
|
|
</script>
|
|
<script>
|
|
t.unreached_func("No nonce, no execution.")();
|
|
</script>
|
|
<script nonce="xyz">
|
|
t.unreached_func("Bad nonce, no execution.")();
|
|
</script>
|
|
<script <script nonce="abc">
|
|
t.unreached_func("'<script' attribute, no execution.")();
|
|
</script>
|
|
<script attribute<script nonce="abc">
|
|
t.unreached_func("'attribute<script', no execution.")();
|
|
</script>
|
|
<script attribute=<script nonce="abc">
|
|
t.unreached_func("'<script' value, no execution.")();
|
|
</script>
|
|
<script attribute=value<script nonce="abc">
|
|
t.unreached_func("'value<script', no execution.")();
|
|
</script>
|
|
<script attribute="" attribute=<style nonce="abc">
|
|
t.unreached_func("Duplicate attribute, no execution.")();
|
|
</script>
|
|
<script src="../support/nonce-should-be-blocked.js?1" <script nonce="abc"></script>
|
|
<script src="../support/nonce-should-be-blocked.js?2" attribute=<script nonce="abc"></script>
|
|
<script src="../support/nonce-should-be-blocked.js?3" <style nonce="abc"></script>
|
|
<script src="../support/nonce-should-be-blocked.js?4" attribute=<style nonce="abc"></script>
|
|
<script src="../support/nonce-should-be-blocked.js?5" attribute=<style nonce="abc"></script>
|