diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html')
-rw-r--r-- | testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html new file mode 100644 index 0000000000..927d60a8d7 --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html @@ -0,0 +1,35 @@ +<!DOCTYPE html> +<head> + <title>CSP inline script check is done at #prepare-a-script (hash)</title> + <script src="/resources/testharness.js"></script> + <script src="/resources/testharnessreport.js"></script> + <!-- + 'log2 += 'scr2 at #prepare-a-script';' => 'sha256-9vE5NuHfEDoLvk3nPZPDX2/mnG+ZwKhpPuwQZwCDGc4=' (blocked) + 'log2 += 'scr2 at #execute-the-script-block';' => 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw=' (allowed) + --> + <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw='"></meta> +</head> +<!-- + "Should element's inline behavior be blocked by Content Security Policy?" + is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script, + not at https://html.spec.whatwg.org/C/#execute-the-script-block. + So when innerText is modified after #prepare-a-script, the text BEFORE + the modification is used for hash check. +--> +<script nonce="abc"> +let log2 = ''; +</script> + +<!-- Execution order: + async script is executed + -> stylesheet is loaded + -> inline script is executed. --> +<link rel="stylesheet" href="support/empty.css?dummy=2&pipe=trickle(d2)" type="text/css"> +<script src="support/change-scripthash-before-execute.js?dummy=2&pipe=trickle(d1)" async></script> +<script id="scr2">log2 += 'scr2 at #prepare-a-script';</script> + +<script nonce="abc"> +test(() => { + assert_equals(log2, ''); +}, 'scr2.innerText before modification should be blocked'); +</script> |