tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

script-src-strict_dynamic_non_parser_inserted.html (3200B)

      1 <!DOCTYPE HTML>
      2 <html>
      3 
      4 <head>
      5    <title>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</title>
      6    <script src='/resources/testharness.js' nonce='dummy'></script>
      7    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
      8 
      9    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
     10 </head>
     11 
     12 <body>
     13    <h1>Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive.</h1>
     14    <div id='log'></div>
     15 
     16    <script nonce='dummy'>
     17        window.addEventListener('securitypolicyviolation', function(e) {
     18            assert_unreached('No CSP violation report has fired.');
     19        });
     20 
     21        async_test(function(t) {
     22            window.addEventListener('message', t.step_func(function(e) {
     23                if (e.data === 'appendChild') {
     24                    t.done();
     25                }
     26            }));
     27            var e = document.createElement('script');
     28            e.id = 'appendChild';
     29            e.src = 'simpleSourcedScript.js?' + e.id;
     30            e.onerror = t.unreached_func('Error should not be triggered.');
     31            document.body.appendChild(e);
     32        }, 'Script injected via `appendChild` is allowed with `strict-dynamic`.');
     33    </script>
     34 
     35    <script nonce='dummy'>
     36        async_test(function(t) {
     37            window.addEventListener('message', t.step_func(function(e) {
     38                if (e.data === 'appendChild-incorrectNonce') {
     39                    t.done();
     40                }
     41            }));
     42            var e = document.createElement('script');
     43            e.id = 'appendChild-incorrectNonce';
     44            e.src = 'simpleSourcedScript.js?' + e.id;
     45            e.setAttribute('nonce', 'wrong');
     46            e.onerror = t.unreached_func('Error should not be triggered.');
     47            document.body.appendChild(e);
     48        }, 'Script injected via `appendChild` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
     49    </script>
     50 
     51    <script nonce='dummy'>
     52        async_test(function(t) {
     53            window.appendChildViaTextContent = t.step_func_done();
     54            var e = document.createElement('script');
     55            e.id = 'appendChild-textContent';
     56            e.textContent = "appendChildViaTextContent();";
     57            e.onerror = t.unreached_func('Error should not be triggered.');
     58            document.body.appendChild(e);
     59        }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`.');
     60    </script>
     61 
     62    <script nonce='dummy'>
     63        async_test(function(t) {
     64            window.appendChildViaTextContentIncorrectNonce = t.step_func_done();
     65            var e = document.createElement('script');
     66            e.id = 'appendChild-textContent-incorrectNonce';
     67            e.setAttribute('nonce', 'wrong');
     68            e.textContent = "appendChildViaTextContentIncorrectNonce();";
     69            e.onerror = t.unreached_func('Error should not be triggered.');
     70            document.body.appendChild(e);
     71        }, 'Script injected via `appendChild` populated via `textContent` is allowed with `strict-dynamic`, even if it carries an incorrect nonce.');
     72    </script>
     73 
     74 </body>
     75 
     76 </html>