svgscript-nonces-hidden-meta.sub.html (3816B)
1 <!DOCTYPE html> 2 <script src="/resources/testharness.js"></script> 3 <script src="/resources/testharnessreport.js"></script> 4 5 <meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'"> 6 7 <body> 8 <!-- Basics --> 9 <svg xmlns="http://www.w3.org/2000/svg"> 10 <script nonce="abc" id="testScript"> 11 document.currentScript.setAttribute('executed', 'yay'); 12 </script> 13 </svg> 14 15 <script nonce="abc"> 16 var script = document.querySelector('#testScript'); 17 18 test(t => { 19 // Query Selector 20 assert_equals(document.querySelector('[nonce]'), script); 21 assert_equals(document.querySelector('[nonce=""]'), null); 22 assert_equals(document.querySelector('[nonce=abc]'), script); 23 24 assert_equals(script.getAttribute('nonce'), 'abc'); 25 assert_equals(script.nonce, 'abc'); 26 }, "Reading 'nonce' content attribute and IDL attribute."); 27 28 // Clone node. 29 test(t => { 30 script.setAttribute('executed', 'boo'); 31 var s2 = script.cloneNode(); 32 assert_equals(s2.nonce, 'abc', 'IDL attribute'); 33 assert_equals(s2.getAttribute('nonce'), 'abc'); 34 }, "Cloned node retains nonce."); 35 36 async_test(t => { 37 var s2 = script.cloneNode(); 38 document.head.appendChild(s2); 39 assert_equals(s2.nonce, 'abc'); 40 assert_equals(s2.getAttribute('nonce'), 'abc'); 41 42 window.addEventListener('load', t.step_func_done(_ => { 43 // The cloned script won't execute, as its 'already started' flag is set. 44 assert_equals(s2.getAttribute('executed'), 'boo'); 45 })); 46 }, "Cloned node retains nonce when inserted."); 47 48 // Set the content attribute to 'foo' 49 test(t => { 50 script.setAttribute('nonce', 'foo'); 51 assert_equals(script.getAttribute('nonce'), 'foo'); 52 assert_equals(script.nonce, 'foo'); 53 }, "Writing 'nonce' content attribute."); 54 55 // Set the IDL attribute to 'bar' 56 test(t => { 57 script.nonce = 'bar'; 58 assert_equals(script.nonce, 'bar'); 59 assert_equals(script.getAttribute('nonce'), 'foo'); 60 }, "Writing 'nonce' IDL attribute."); 61 62 // Fragment parser. 63 var documentWriteTest = async_test("Document-written script executes."); 64 document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'> 65 documentWriteTest.done(); 66 test(t => { 67 var script = document.currentScript; 68 assert_equals(script.getAttribute('nonce'), 'abc'); 69 assert_equals(script.nonce, 'abc'); 70 }, "Document-written script's nonce value."); 71 </scr` + `ipt></svg>`); 72 73 // Create node. 74 test(t => { 75 var s = document.createElement('svg'); 76 var innerScript = document.createElement('innerScript'); 77 innerScript.innerText = script.innerText; 78 innerScript.nonce = 'abc'; 79 s.appendChild(innerScript); 80 assert_equals(innerScript.nonce, 'abc'); 81 assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce'); 82 document.body.appendChild(s); 83 assert_equals(innerScript.nonce, 'abc'); 84 assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce'); 85 }, "createElement.nonce."); 86 87 // Create node. 88 test(t => { 89 var s = document.createElement('svg'); 90 var innerScript = document.createElement('script'); 91 innerScript.innerText = script.innerText; 92 innerScript.setAttribute('nonce', 'abc'); 93 assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content"); 94 assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL"); 95 s.appendChild(innerScript); 96 document.body.appendChild(s); 97 assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL"); 98 assert_equals(innerScript.getAttribute('nonce'), 'abc', "Post-insertion content"); 99 }, "createElement.setAttribute."); 100 </script>