preload-nonce.sub.html (1858B)
1 <!DOCTYPE html> 2 <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-wpt' 'nonce-script'; default-src 'none'; style-src 'nonce-style'; connect-src 'self';"> 3 <title>Makes sure that preload requests use their nonce for the CSP</title> 4 <script src="/resources/testharness.js" nonce="wpt"></script> 5 <script src="/resources/testharnessreport.js" nonce="wpt"></script> 6 <script src="/preload/resources/preload_helper.js" nonce="wpt"></script> 7 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style> 8 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style nonce="style"> 9 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=script> 10 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=script nonce="script"> 11 <body> 12 <script nonce="wpt"> 13 promise_test(async (t) => { 14 verifyPreloadAndRTSupport(); 15 const keys = []; 16 const links = document.querySelectorAll('link:not([nonce])'); 17 for (const link of links) { 18 if (link.rel === 'preload') { 19 const r = /\?key=([a-zA-Z0-9\-]+)$/; 20 keys.push(link.href.match(r)[1]); 21 } 22 } 23 await new Promise((resolve) => step_timeout(resolve, 3000)); 24 25 for (const key of keys) { 26 assert_false(await hasArrivedAtServer(key)); 27 } 28 }, 'Preload requests without a nonce are blocked by CSP.'); 29 30 promise_test(async (t) => { 31 verifyPreloadAndRTSupport(); 32 const keys = []; 33 const links = document.querySelectorAll('link[nonce]'); 34 for (const link of links) { 35 if (link.rel === 'preload') { 36 const r = /\?key=([a-zA-Z0-9\-]+)$/; 37 keys.push(link.href.match(r)[1]); 38 } 39 } 40 await new Promise((resolve) => step_timeout(resolve, 3000)); 41 42 for (const key of keys) { 43 assert_true(await hasArrivedAtServer(key)); 44 } 45 }, 'Preload requests with a correct nonce are allowed by CSP.'); 46 </script>