file_nonce_snapshot.sjs (1502B)
1 "use strict"; 2 3 const TEST_FRAME = `<!DOCTYPE HTML> 4 <html> 5 <body> 6 <script id='myScript' nonce='123456789' type='application/javascript'></script> 7 <script nonce='123456789'> 8 let myScript = document.getElementById('myScript'); 9 // 1) start loading the script using the nonce 123456789 10 myScript.src='file_nonce_snapshot.sjs?redir-script'; 11 // 2) dynamically change the nonce, load should use initial nonce 12 myScript.setAttribute('nonce','987654321'); 13 </script> 14 </body> 15 </html>`; 16 17 const SCRIPT = "window.parent.postMessage('script-loaded', '*');"; 18 19 function handleRequest(request, response) { 20 // avoid confusing cache behaviors 21 response.setHeader("Cache-Control", "no-cache", false); 22 23 let queryString = request.queryString; 24 25 if (queryString === "load-frame") { 26 response.setHeader( 27 "Content-Security-Policy", 28 "script-src 'nonce-123456789'", 29 false 30 ); 31 response.setHeader("Content-Type", "text/html", false); 32 response.write(TEST_FRAME); 33 return; 34 } 35 36 if (queryString === "redir-script") { 37 response.setStatusLine("1.1", 302, "Found"); 38 response.setHeader( 39 "Location", 40 "file_nonce_snapshot.sjs?load-script", 41 false 42 ); 43 return; 44 } 45 46 if (queryString === "load-script") { 47 response.setHeader("Content-Type", "application/javascript", false); 48 response.write(SCRIPT); 49 return; 50 } 51 52 // we should never get here but just in case return something unexpected 53 response.write("do'h"); 54 }