nonce-enforce-blocked.html (3840B)
1 <!DOCTYPE html> 2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> 3 <script src="/resources/testharness.js" nonce="abc"></script> 4 <script src="/resources/testharnessreport.js" nonce="abc"></script> 5 <script nonce="abc"> 6 var t = async_test("Unnonced scripts generate reports."); 7 var events = 0; 8 var firstLine = 43; 9 var expectations = {} 10 expectations[firstLine] = true; 11 expectations[firstLine + 3] = true; 12 expectations[firstLine + 6] = true; 13 expectations[firstLine + 9] = true; 14 expectations[firstLine + 12] = true; 15 expectations[firstLine + 15] = true; 16 expectations[firstLine + 18] = true; 17 expectations[firstLine + 21] = true; 18 expectations[firstLine + 24] = true; 19 expectations[firstLine + 28] = true; 20 expectations["/content-security-policy/support/nonce-should-be-blocked.js?1"] = true; 21 expectations["/content-security-policy/support/nonce-should-be-blocked.js?2"] = true; 22 expectations["/content-security-policy/support/nonce-should-be-blocked.js?3"] = true; 23 expectations["/content-security-policy/support/nonce-should-be-blocked.js?4"] = true; 24 expectations["/content-security-policy/support/nonce-should-be-blocked.js?5"] = true; 25 expectations["/content-security-policy/support/nonce-should-be-blocked.js?6"] = true; 26 expectations["/content-security-policy/support/nonce-should-be-blocked.js?7"] = true; 27 28 document.addEventListener('securitypolicyviolation', t.step_func(e => { 29 if (e.lineNumber) { 30 // Verify that the line is expected, then clear the expectation: 31 assert_true(expectations[e.lineNumber], "Line number: " + e.lineNumber); 32 assert_equals(e.blockedURI, "inline"); 33 } else { 34 // Otherwise, verify that the URL is expected, then clear the expectation: 35 var url = new URL(e.blockedURI); 36 assert_true(expectations[url.pathname + url.search], "URL: " + e.blockedURI); 37 } 38 events++; 39 if (events == Object.keys(expectations).length) 40 t.done(); 41 })); 42 </script> 43 <script> 44 t.unreached_func("No nonce, no execution.")(); 45 </script> 46 <script nonce="xyz"> 47 t.unreached_func("Bad nonce, no execution.")(); 48 </script> 49 <script <script nonce="abc"> 50 t.unreached_func("'<script' attribute, no execution.")(); 51 </script> 52 <script attribute<script nonce="abc"> 53 t.unreached_func("'attribute<script', no execution.")(); 54 </script> 55 <script attribute<style="value" nonce="abc"> 56 t.unreached_func("'attribute<style' attribute, no execution.")(); 57 </script> 58 <script attribute=<script nonce="abc"> 59 t.unreached_func("'<script' value, no execution.")(); 60 </script> 61 <script attribute=value<script nonce="abc"> 62 t.unreached_func("'value<script', no execution.")(); 63 </script> 64 <script attribute attribute nonce="abc"> 65 t.unreached_func("Duplicate attribute, no execution.")(); 66 </script> 67 <script attribute attribute=<style nonce="abc"> 68 t.unreached_func("2# Duplicate attribute, no execution.")(); 69 </script> 70 <svg xmlns="http://www.w3.org/2000/svg"> 71 <script attribute attribute nonce="abc"> 72 t.unreached_func("Duplicate attribute in SVG, no execution.")(); 73 </script> 74 </svg> 75 <script src="../support/nonce-should-be-blocked.js?1" <script nonce="abc"></script> 76 <script src="../support/nonce-should-be-blocked.js?2" attribute=<script nonce="abc"></script> 77 <script src="../support/nonce-should-be-blocked.js?3" <style nonce="abc"></script> 78 <script src="../support/nonce-should-be-blocked.js?4" attribute=<style nonce="abc"></script> 79 <script src="../support/nonce-should-be-blocked.js?5" attribute attribute nonce="abc"></script> 80 <script src="../support/nonce-should-be-blocked.js?6" attribute<script nonce="abc"></script> 81 <script src="../support/nonce-should-be-blocked.js?7" attribute=value<script nonce="abc"></script>