tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

scriptnonce-ignore-unsafeinline.sub.html (2443B)

      1 <!DOCTYPE html>
      2 <html>
      3 
      4 <head>
      5    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
      6    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';">
      7    <title>scriptnonce-ignore-unsafeinline</title>
      8    <script src="/resources/testharness.js"></script>
      9    <script src="/resources/testharnessreport.js"></script>
     10    <script nonce='noncynonce'>
     11        function log(msg) {
     12            test(function() {
     13                assert_unreached(msg)
     14            });
     15        }
     16 
     17        window.addEventListener('securitypolicyviolation', function(e) {
     18            alert_assert("violated-directive=" + e.violatedDirective);
     19        });
     20    </script>
     21    <script nonce='noncynonce'>
     22        var t_alert = async_test('Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]');
     23        var expected_alerts = ["PASS (1/2)", "PASS (2/2)", "violated-directive=script-src-elem"];
     24 
     25        function alert_assert(msg) {
     26            t_alert.step(function() {
     27                if (msg.match(/^FAIL/i)) {
     28                    assert_unreached(msg);
     29                    t_alert.done();
     30                }
     31                for (var i = 0; i < expected_alerts.length; i++) {
     32                    if (expected_alerts[i] == msg) {
     33                        assert_equals(expected_alerts[i], msg);
     34                        expected_alerts.splice(i, 1);
     35                        if (expected_alerts.length == 0) {
     36                            t_alert.done();
     37                        }
     38                        return;
     39                    }
     40                }
     41                assert_unreached('unexpected alert: ' + msg);
     42                t_log.done();
     43            });
     44        }
     45 
     46    </script>
     47    <!-- enforcing policy:
     48 script-src 'self' 'unsafe-inline' 'nonce-noncynonce' 'nonce-noncy+/nonce=' 'unsafe-inline'; connect-src 'self';
     49 -->
     50    <script nonce="noncynonce">
     51 
     52 
     53    </script>
     54    <script nonce="noncynonce">
     55        alert_assert('PASS (1/2)');
     56    </script>
     57    <script nonce="noncy+/nonce=">
     58        alert_assert('PASS (2/2)');
     59 
     60    </script>
     61    <script>
     62        alert_assert('FAIL (1/1)');
     63 
     64    </script>
     65 </head>
     66 
     67 <body>
     68    <p>
     69        This tests that a valid nonce disables inline JavaScript, even if &apos;unsafe-inline&apos; is present.
     70    </p>
     71    <div id="log"></div>
     72 </body>
     73 
     74 </html>