script-text-modifications-csp.html (2146B)
1 <!doctype html> 2 <head> 3 <meta charset=utf-8> 4 <title>Modify HTMLScriptElement's text after #prepare-a-script that violates CSP</title> 5 <link rel=help href="https://html.spec.whatwg.org/multipage/scripting.html#prepare-a-script"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 <meta http-equiv="content-security-policy" content="script-src 9 'nonce-allow' 10 'sha256-2+5xh6b9uuIi4GaJtmHWtgR2nwRXJpBtMY4nVaOBpfc=' 11 "> 12 <!-- The hash is that of the original content of `script0`. --> 13 14 <script nonce="allow"> 15 window.t = async_test("Modify inline script element's text " + 16 "after prepare-a-script before evaluation (CSP)"); 17 18 const updatedText = 19 't.unreached_func("CSP check was done against the original text but the updated text was evaluated")();'; 20 21 function changeScriptText() { 22 document.querySelector('#script0').textContent = updatedText; 23 } 24 25 t.step_timeout(changeScriptText, 500); 26 </script> 27 28 <!-- This is "a style sheet that is blocking scripts" and thus ... --> 29 <link rel="stylesheet" href="/common/slow.py?pipe=trickle(d1)"></link> 30 31 <!-- This inline script becomes a parser-blocking script, and thus 32 the step_timeout is evaluated after script0 is inserted into DOM, 33 prepare-a-script'ed, but before its evaluation. --> 34 <script id="script0"> 35 t.step(() => { 36 // When this is evaluated after the stylesheet is loaded, 37 // script0's textContent is modified by the async script above, 38 // but the evaluated script is still the original script here, 39 // not what is overwritten, because "child text content" is taken in 40 // #prepare-a-script and passed to "creating a classic script". 41 var s = document.getElementById('script0'); 42 assert_equals(s.textContent, updatedText, 43 "<script>'s textContent should be already modified"); 44 t.done(); 45 }); 46 </script> 47 <script nonce="allow"> 48 // If this makes the test fail, it indicates `script0` (the original or updated 49 // text) was not evaluated, probably blocked by CSP that was checked against the 50 // updated text. 51 t.unreached_func("CSP check was done against the updated text")(); 52 </script>