scripthash-changed-2.html (1513B)
1 <!DOCTYPE html> 2 <head> 3 <title>CSP inline script check is done at #prepare-a-script (hash)</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <!-- 7 'log2 += 'scr2 at #prepare-a-script';' => 'sha256-9vE5NuHfEDoLvk3nPZPDX2/mnG+ZwKhpPuwQZwCDGc4=' (blocked) 8 'log2 += 'scr2 at #execute-the-script-block';' => 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw=' (allowed) 9 --> 10 <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw='"></meta> 11 </head> 12 <!-- 13 "Should element's inline behavior be blocked by Content Security Policy?" 14 is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script, 15 not at https://html.spec.whatwg.org/C/#execute-the-script-block. 16 So when innerText is modified after #prepare-a-script, the text BEFORE 17 the modification is used for hash check. 18 --> 19 <script nonce="abc"> 20 let log2 = ''; 21 </script> 22 23 <!-- Execution order: 24 async script is executed 25 -> stylesheet is loaded 26 -> inline script is executed. --> 27 <link rel="stylesheet" href="support/empty.css?dummy=2&pipe=trickle(d2)" type="text/css"> 28 <script src="support/change-scripthash-before-execute.js?dummy=2&pipe=trickle(d1)" async></script> 29 <script id="scr2">log2 += 'scr2 at #prepare-a-script';</script> 30 31 <script nonce="abc"> 32 test(() => { 33 assert_equals(log2, ''); 34 }, 'scr2.innerText before modification should be blocked'); 35 </script>