tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

scriptnonce-and-scripthash.sub.html (2598B)

      1 <!DOCTYPE html>
      2 <html>
      3 
      4 <head>
      5    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
      6    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';">
      7    <title>scriptnonce-and-scripthash</title>
      8    <script src="/resources/testharness.js"></script>
      9    <script src="/resources/testharnessreport.js"></script>
     10    <script nonce="nonceynonce">
     11        function log(msg) {
     12            test(function() {
     13                assert_unreached(msg)
     14            });
     15        }
     16    </script>
     17    <script nonce="nonceynonce">
     18        window.addEventListener('securitypolicyviolation', function(e) {
     19            alert_assert("violated-directive=" + e.violatedDirective);
     20        });
     21 
     22        var t_alert = async_test('Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]');
     23        var expected_alerts = ["PASS (1/3)", "PASS (2/3)", "PASS (3/3)", "violated-directive=script-src-elem", "violated-directive=script-src-elem"];
     24 
     25        function alert_assert(msg) {
     26            t_alert.step(function() {
     27                if (msg.match(/^FAIL/i)) {
     28                    assert_unreached(msg);
     29                    t_alert.done();
     30                }
     31                for (var i = 0; i < expected_alerts.length; i++) {
     32                    if (expected_alerts[i] == msg) {
     33                        assert_equals(expected_alerts[i], msg);
     34                        expected_alerts.splice(i, 1);
     35                        if (expected_alerts.length == 0) {
     36                            t_alert.done();
     37                        }
     38                        return;
     39                    }
     40                }
     41                assert_unreached('unexpected alert: ' + msg);
     42                t_log.done();
     43            });
     44        }
     45 
     46    </script>
     47    <!-- enforcing policy:
     48 script-src 'self' 'sha256-LS8v1E1Ff0Hc8FobgWKNKY3sbW4rljPlZNQHyyutfKU=' 'nonce-nonceynonce'; connect-src 'self';
     49 -->
     50    <script nonce="nonceynonce">
     51        alert_assert('PASS (1/3)');
     52 
     53    </script>
     54    <script>
     55        alert_assert('PASS (2/3)');
     56 
     57    </script>
     58    <script nonce="nonceynonce">
     59        alert_assert('PASS (3/3)');
     60 
     61    </script>
     62    <script>
     63        alert_assert('FAIL (1/2)');
     64 
     65    </script>
     66    <script nonce="notanonce">
     67        alert_assert('FAIL (2/2)');
     68 
     69    </script>
     70 </head>
     71 
     72 <body>
     73    <p>
     74        This tests the combined use of script hash and script nonce. It passes if a CSP violation is generated and the three alerts show PASS.
     75    </p>
     76    <div id="log"></div>
     77 </body>
     78 
     79 </html>