35 lines
1.5 KiB
HTML
35 lines
1.5 KiB
HTML
<!DOCTYPE html>
|
|
<head>
|
|
<title>CSP inline script check is done at #prepare-a-script (hash)</title>
|
|
<script src="/resources/testharness.js"></script>
|
|
<script src="/resources/testharnessreport.js"></script>
|
|
<!--
|
|
'log1 += 'scr1 at #prepare-a-script';' => 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s=' (allowed)
|
|
'log1 += 'scr1 at #execute-the-script-block';' => 'sha256-Vtap5AhPN9kbQAbWqObJexCvNDexqoIwo4XsABQBqcg=' (blocked)
|
|
-->
|
|
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s='"></meta>
|
|
</head>
|
|
<!--
|
|
"Should element's inline behavior be blocked by Content Security Policy?"
|
|
is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
|
|
not at https://html.spec.whatwg.org/C/#execute-the-script-block.
|
|
So when innerText is modified after #prepare-a-script, the text BEFORE
|
|
the modification is used for hash check.
|
|
-->
|
|
<script nonce="abc">
|
|
let log1 = '';
|
|
</script>
|
|
|
|
<!-- Execution order:
|
|
async script is executed
|
|
-> stylesheet is loaded
|
|
-> inline script is executed. -->
|
|
<link rel="stylesheet" href="support/empty.css?dummy=1&pipe=trickle(d2)" type="text/css">
|
|
<script src="support/change-scripthash-before-execute.js?dummy=1&pipe=trickle(d1)" async></script>
|
|
<script id="scr1">log1 += 'scr1 at #prepare-a-script';</script>
|
|
|
|
<script nonce="abc">
|
|
test(() => {
|
|
assert_equals(log1, 'scr1 at #prepare-a-script');
|
|
}, 'scr1.innerText before modification should not be blocked');
|
|
</script>
|