[ tor-browser ].git.dasho

script-src-strict_dynamic_parser_inserted.html (10495B)
      1 <!DOCTYPE HTML>
      2 <html>
      3 
      4 <head>
      5    <title>Parser-inserted scripts without a correct nonce are not allowed with `Strict-Dynamic` in the script-src directive.</title>
      6    <script src='/resources/testharness.js' nonce='dummy'></script>
      7    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
      8 
      9    <!-- CSP served: script-src 'Strict-Dynamic' 'nonce-dummy' -->
     10    <!-- Strict-Dynamic is intentionally mixed case -->
     11 </head>
     12 
     13 <body>
     14    <h1>Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive.</h1>
     15    <div id='log'></div>
     16 
     17    <script nonce='dummy'>
     18        async_test(function(t) {
     19            window.addEventListener('message', t.step_func(function(e) {
     20                if (e.data === 'documentWrite') {
     21                    assert_unreached('Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
     22                }
     23            }));
     24            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
     25                if (violation.blockedURI.split('?')[1] !== 'documentWrite') {
     26                    return;
     27                }
     28                assert_equals(violation.effectiveDirective, 'script-src-elem');
     29                t.done();
     30            }));
     31 
     32            document.write('<scr' + 'ipt id="documentWrite" src="simpleSourcedScript.js?documentWrite"></scr' + 'ipt>');
     33        }, 'Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
     34    </script>
     35 
     36    <script nonce='dummy'>
     37        async_test(function(t) {
     38            window.addEventListener('message', t.step_func(function(e) {
     39                if (e.data === 'documentWriteln') {
     40                    assert_unreached('Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
     41                }
     42            }));
     43            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
     44                if (violation.blockedURI.split('?')[1] !== 'documentWriteln') {
     45                    return;
     46                }
     47                assert_equals(violation.effectiveDirective, 'script-src-elem');
     48                t.done();
     49            }));
     50 
     51            document.writeln('<scr' + 'ipt id="documentWriteln" src="simpleSourcedScript.js?documentWriteln"></scr' + 'ipt>');
     52        }, 'Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
     53    </script>
     54 
     55    <script nonce='dummy'>
     56        async_test(function(t) {
     57            window.addEventListener('message', t.step_func(function(e) {
     58                if (e.data === 'documentWrite-deferred') {
     59                    assert_unreached('Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
     60                }
     61            }));
     62            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
     63                if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred') {
     64                    return;
     65                }
     66                assert_equals(violation.effectiveDirective, 'script-src-elem');
     67                t.done();
     68            }));
     69 
     70            document.write('<scr' + 'ipt defer id="documentWrite-deferred" src="simpleSourcedScript.js?documentWrite-deferred"></scr' + 'ipt>');
     71        }, 'Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
     72    </script>
     73 
     74    <script nonce='dummy'>
     75        async_test(function(t) {
     76            window.addEventListener('message', t.step_func(function(e) {
     77                if (e.data === 'documentWriteln-deferred') {
     78                    assert_unreached('Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
     79                }
     80            }));
     81            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
     82                if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred') {
     83                    return;
     84                }
     85                assert_equals(violation.effectiveDirective, 'script-src-elem');
     86                t.done();
     87            }));
     88 
     89            document.writeln('<scr' + 'ipt defer id="documentWriteln-deferred" src="simpleSourcedScript.js?documentWriteln-deferred"></scr' + 'ipt>');
     90        }, 'Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
     91    </script>
     92 
     93    <script nonce='dummy'>
     94        async_test(function(t) {
     95            window.addEventListener('message', t.step_func(function(e) {
     96                if (e.data === 'documentWrite-async') {
     97                    assert_unreached('Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
     98                }
     99            }));
    100            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
    101                if (violation.blockedURI.split('?')[1] !== 'documentWrite-async') {
    102                    return;
    103                }
    104                assert_equals(violation.effectiveDirective, 'script-src-elem');
    105                t.done();
    106            }));
    107 
    108            document.write('<scr' + 'ipt async id="documentWrite-async" src="simpleSourcedScript.js?documentWrite-async"></scr' + 'ipt>');
    109        }, 'Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
    110    </script>
    111 
    112    <script nonce='dummy'>
    113        async_test(function(t) {
    114            window.addEventListener('message', t.step_func(function(e) {
    115                if (e.data === 'documentWriteln-async') {
    116                    assert_unreached('Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
    117                }
    118            }));
    119            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
    120                if (violation.blockedURI.split('?')[1] !== 'documentWriteln-async') {
    121                    return;
    122                }
    123                assert_equals(violation.effectiveDirective, 'script-src-elem');
    124                t.done();
    125            }));
    126 
    127            document.writeln('<scr' + 'ipt async id="documentWriteln-async" src="simpleSourcedScript.js?documentWriteln-async"></scr' + 'ipt>');
    128        }, 'Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
    129    </script>
    130 
    131    <script nonce='dummy'>
    132        async_test(function(t) {
    133            window.addEventListener('message', t.step_func(function(e) {
    134                if (e.data === 'documentWrite-deferred-async') {
    135                    assert_unreached('Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
    136                }
    137            }));
    138            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
    139                if (violation.blockedURI.split('?')[1] !== 'documentWrite-deferred-async') {
    140                    return;
    141                }
    142                assert_equals(violation.effectiveDirective, 'script-src-elem');
    143                t.done();
    144            }));
    145 
    146            document.write('<scr' + 'ipt defer async id="documentWrite-deferred-async" src="simpleSourcedScript.js?documentWrite-deferred-async"></scr' + 'ipt>');
    147        }, 'Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.');
    148    </script>
    149 
    150    <script nonce='dummy'>
    151        async_test(function(t) {
    152            window.addEventListener('message', t.step_func(function(e) {
    153                if (e.data === 'documentWriteln-deferred-async') {
    154                    assert_unreached('Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
    155                }
    156            }));
    157            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
    158                if (violation.blockedURI.split('?')[1] !== 'documentWriteln-deferred-async') {
    159                    return;
    160                }
    161                assert_equals(violation.effectiveDirective, 'script-src-elem');
    162                t.done();
    163            }));
    164 
    165            document.writeln('<scr' + 'ipt defer async id="documentWriteln-deferred-async " src="simpleSourcedScript.js?documentWriteln-deferred-async "></scr' + 'ipt>');
    166        }, 'Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.');
    167    </script>
    168 
    169    <script nonce='dummy'>
    170        var innerHTMLScriptRan = false;
    171        async_test(function(t) {
    172            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
    173                if (violation.target.id !== 'innerHTML') {
    174                    return;
    175                }
    176                assert_false(innerHTMLScriptRan);
    177                assert_equals(violation.effectiveDirective, 'script-src-attr');
    178                t.done();
    179            }));
    180 
    181            var e = document.createElement('div');
    182            e.innerHTML = "<img id='innerHTML' src='/nonexisting.jpg' onerror='innerHTMLScriptRan = true;' style='display:none'>";
    183            document.body.appendChild(e);
    184        }, 'Script injected via `innerHTML` is not allowed with `strict-dynamic`.');
    185    </script>
    186 
    187    <script nonce='dummy'>
    188        var insertAdjacentHTMLScriptRan = false;
    189        async_test(function(t) {
    190            window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
    191                if (violation.target.id !== 'insertAdjacentHTML') {
    192                    return;
    193                }
    194                assert_false(insertAdjacentHTMLScriptRan);
    195                assert_equals(violation.effectiveDirective, 'script-src-attr');
    196                t.done();
    197            }));
    198 
    199            var e = document.createElement('div');
    200            e.insertAdjacentHTML('afterbegin', "<img id='insertAdjacentHTML' src='/nonexisting.jpg' onerror='insertAdjacentHTMLScriptRan = true;' style='display:none'>");
    201            document.body.appendChild(e);
    202        }, 'Script injected via `insertAdjacentHTML` is not allowed with `strict-dynamic`.');
    203    </script>
    204 </body>
    205 
    206 </html>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE