tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

file_nonce_source.html (4265B)

      1 <!doctype html>
      2 <html>
      3  <head>
      4    <!-- external styles -->
      5    <link rel='stylesheet' nonce="correctstylenonce" href="file_CSP.sjs?testid=external_style_correct_nonce_good&type=text/css" />
      6    <link rel='stylesheet' nonce="incorrectstylenonce" href="file_CSP.sjs?testid=external_style_incorrect_nonce_bad&type=text/css" />
      7    <link rel='stylesheet' nonce="correctscriptnonce" href="file_CSP.sjs?testid=external_style_correct_script_nonce_bad&type=text/css" />
      8    <link rel='stylesheet' href="file_CSP.sjs?testid=external_style_no_nonce_bad&type=text/css" />
      9  </head>
     10  <body>
     11    <!-- inline scripts -->
     12    <ol>
     13      <li id="inline-script-correct-nonce">(inline script with correct nonce) This text should be green.</li>
     14      <li id="inline-script-incorrect-nonce">(inline script with incorrect nonce) This text should be black.</li>
     15      <li id="inline-script-correct-style-nonce">(inline script with correct nonce for styles, but not for scripts) This text should be black.</li>
     16      <li id="inline-script-no-nonce">(inline script with no nonce) This text should be black.</li>
     17    </ol>
     18    <script nonce="correctscriptnonce">
     19      document.getElementById("inline-script-correct-nonce").style.color = "rgb(0, 128, 0)";
     20    </script>
     21    <script nonce="incorrectscriptnonce">
     22      document.getElementById("inline-script-incorrect-nonce").style.color = "rgb(255, 0, 0)";
     23    </script>
     24    <script nonce="correctstylenonce">
     25      document.getElementById("inline-script-correct-style-nonce").style.color = "rgb(255, 0, 0)";
     26    </script>
     27    <script>
     28      document.getElementById("inline-script-no-nonce").style.color = "rgb(255, 0, 0)";
     29    </script>
     30 
     31    <!-- external scripts -->
     32    <script nonce="correctscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_correct_nonce_good&type=text/javascript"></script>
     33    <script nonce="anothercorrectscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_another_correct_nonce_good&type=text/javascript"></script>
     34    <script nonce="incorrectscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_incorrect_nonce_bad&type=text/javascript"></script>
     35    <script nonce="correctstylenonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_correct_style_nonce_bad&type=text/javascript"></script>
     36    <script src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_no_nonce_bad&type=text/javascript"></script>
     37 
     38    <!-- This external script has the correct nonce and comes from a allowlisted URI. It should be allowed. -->
     39    <script nonce="correctscriptnonce" src="file_CSP.sjs?testid=external_script_correct_nonce_correct_uri_good&type=text/javascript"></script>
     40    <!-- This external script has an incorrect nonce, but comes from a allowlisted URI. It should be allowed. -->
     41    <script nonce="incorrectscriptnonce" src="file_CSP.sjs?testid=external_script_incorrect_nonce_correct_uri_good&type=text/javascript"></script>
     42    <!-- This external script has no nonce and comes from a allowlisted URI. It should be allowed. -->
     43    <script src="file_CSP.sjs?testid=external_script_no_nonce_correct_uri_good&type=text/javascript"></script>
     44 
     45    <!-- inline styles -->
     46    <ol>
     47      <li id=inline-style-correct-nonce>
     48        (inline style with correct nonce) This text should be green
     49      </li>
     50      <li id=inline-style-incorrect-nonce>
     51        (inline style with incorrect nonce) This text should be black
     52      </li>
     53      <li id=inline-style-correct-script-nonce>
     54        (inline style with correct script, not style, nonce) This text should be black
     55      </li>
     56      <li id=inline-style-no-nonce>
     57        (inline style with no nonce) This text should be black
     58      </li>
     59    </ol>
     60    <style nonce=correctstylenonce>
     61      li#inline-style-correct-nonce { color: green; }
     62    </style>
     63    <style nonce=incorrectstylenonce>
     64      li#inline-style-incorrect-nonce { color: red; }
     65    </style>
     66    <style nonce=correctscriptnonce>
     67      li#inline-style-correct-script-nonce { color: red; }
     68    </style>
     69    <style>
     70      li#inline-style-no-nonce { color: red; }
     71    </style>
     72  </body>
     73 </html>