tor-browser

svgscript-nonces-hidden.html (3662B)

---

<!DOCTYPE html>
<script src="/resources/testharness.js" nonce="abc"></script>
<script src="/resources/testharnessreport.js" nonce="abc"></script>

<!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers -->

<body>
<!-- Basics -->
<svg xmlns="http://www.w3.org/2000/svg">
 <script nonce="abc" id="testScript">
   document.currentScript.setAttribute('executed', 'yay');
 </script>
</svg>

<script nonce="abc">
   var script = document.querySelector('#testScript');

   test(t => {
     // Query Selector
     assert_equals(document.querySelector('body [nonce]'), script);
     assert_equals(document.querySelector('body [nonce=""]'), script);
     assert_equals(document.querySelector('body [nonce=abc]'), null);

     assert_equals(script.getAttribute('nonce'), '');
     assert_equals(script.nonce, 'abc');
   }, "Reading 'nonce' content attribute and IDL attribute.");

   // Clone node.
   test(t => {
     script.setAttribute('executed', 'boo');
     var s2 = script.cloneNode();
     assert_equals(s2.nonce, 'abc', 'IDL attribute');
     assert_equals(s2.getAttribute('nonce'), '');
   }, "Cloned node retains nonce.");

   async_test(t => {
     var s2 = script.cloneNode();
     document.head.appendChild(s2);
     assert_equals(s2.nonce, 'abc');
     assert_equals(s2.getAttribute('nonce'), '');

     window.addEventListener('load', t.step_func_done(_ => {
       // The cloned script won't execute, as its 'already started' flag is set.
       assert_equals(s2.getAttribute('executed'), 'boo');
     }));
   }, "Cloned node retains nonce when inserted.");

   // Set the content attribute to 'foo'
   test(t => {
     script.setAttribute('nonce', 'foo');
     assert_equals(script.getAttribute('nonce'), 'foo');
     assert_equals(script.nonce, 'foo');
   }, "Writing 'nonce' content attribute.");

   // Set the IDL attribute to 'bar'
   test(t => {
     script.nonce = 'bar';
     assert_equals(script.nonce, 'bar');
     assert_equals(script.getAttribute('nonce'), 'foo');
   }, "Writing 'nonce' IDL attribute.");

   // Fragment parser.
   var documentWriteTest = async_test("Document-written script executes.");
   document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
     documentWriteTest.done();
     test(t => {
       var script = document.currentScript;
       assert_equals(script.getAttribute('nonce'), '');
       assert_equals(script.nonce, 'abc');
     }, "Document-written script's nonce value.");
   </scr` + `ipt></svg>`);

   // Create node.
   test(t => {
     var s = document.createElement('svg');
     var innerScript = document.createElement('script');
     innerScript.innerText = script.innerText;
     innerScript.nonce = 'abc';
     s.appendChild(innerScript);
     document.body.appendChild(s);
     assert_equals(innerScript.nonce, 'abc');
     assert_equals(innerScript.getAttribute('nonce'), null);
   }, "createElement.nonce.");

   // Create node.
   test(t => {
     var s = document.createElement('svg');
     var innerScript = document.createElement('script');
     innerScript.innerText = script.innerText;
     innerScript.setAttribute('nonce', 'abc');
     assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content");
     assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL");
     s.appendChild(innerScript);
     document.body.appendChild(s);
     assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
     assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion content");
   }, "createElement.setAttribute.");
</script>