scriptnonce-changed-2.html (1225B)
1 <!DOCTYPE html> 2 <head> 3 <title>CSP inline script check is done at #prepare-a-script (nonce)</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-deadbeef'"></meta> 7 </head> 8 <!-- 9 "Should element's inline behavior be blocked by Content Security Policy?" 10 is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script, 11 not at https://html.spec.whatwg.org/C/#execute-the-script-block. 12 So when nonce is modified after #prepare-a-script, the nonce BEFORE 13 the modification is used for hash check. 14 --> 15 <script nonce="abc"> 16 let log2 = ''; 17 </script> 18 19 <!-- Execution order: 20 async script is executed 21 -> stylesheet is loaded 22 -> inline script is executed. --> 23 <link rel="stylesheet" href="support/empty.css?dummy=4&pipe=trickle(d2)" type="text/css"> 24 <script src="support/change-scriptnonce-before-execute.js?dummy=4&pipe=trickle(d1)" async></script> 25 <script id="scr2" nonce="wrong">log2 += 'scr2 executed';</script> 26 27 <script nonce="abc"> 28 test(() => { 29 assert_equals(log2, ''); 30 }, 'scr2 nonce before modification should be blocked'); 31 </script>