blob: 01d4046c37b191159c13307467c874c40b0a69a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
<!doctype html>
<html>
<head>
<!-- external styles -->
<link rel='stylesheet' nonce="correctstylenonce" href="file_CSP.sjs?testid=external_style_correct_nonce_good&type=text/css" />
<link rel='stylesheet' nonce="incorrectstylenonce" href="file_CSP.sjs?testid=external_style_incorrect_nonce_bad&type=text/css" />
<link rel='stylesheet' nonce="correctscriptnonce" href="file_CSP.sjs?testid=external_style_correct_script_nonce_bad&type=text/css" />
<link rel='stylesheet' href="file_CSP.sjs?testid=external_style_no_nonce_bad&type=text/css" />
</head>
<body>
<!-- inline scripts -->
<ol>
<li id="inline-script-correct-nonce">(inline script with correct nonce) This text should be green.</li>
<li id="inline-script-incorrect-nonce">(inline script with incorrect nonce) This text should be black.</li>
<li id="inline-script-correct-style-nonce">(inline script with correct nonce for styles, but not for scripts) This text should be black.</li>
<li id="inline-script-no-nonce">(inline script with no nonce) This text should be black.</li>
</ol>
<script nonce="correctscriptnonce">
document.getElementById("inline-script-correct-nonce").style.color = "rgb(0, 128, 0)";
</script>
<script nonce="incorrectscriptnonce">
document.getElementById("inline-script-incorrect-nonce").style.color = "rgb(255, 0, 0)";
</script>
<script nonce="correctstylenonce">
document.getElementById("inline-script-correct-style-nonce").style.color = "rgb(255, 0, 0)";
</script>
<script>
document.getElementById("inline-script-no-nonce").style.color = "rgb(255, 0, 0)";
</script>
<!-- external scripts -->
<script nonce="correctscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_correct_nonce_good&type=text/javascript"></script>
<script nonce="anothercorrectscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_another_correct_nonce_good&type=text/javascript"></script>
<script nonce="incorrectscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_incorrect_nonce_bad&type=text/javascript"></script>
<script nonce="correctstylenonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_correct_style_nonce_bad&type=text/javascript"></script>
<script src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_no_nonce_bad&type=text/javascript"></script>
<!-- This external script has the correct nonce and comes from a allowlisted URI. It should be allowed. -->
<script nonce="correctscriptnonce" src="file_CSP.sjs?testid=external_script_correct_nonce_correct_uri_good&type=text/javascript"></script>
<!-- This external script has an incorrect nonce, but comes from a allowlisted URI. It should be allowed. -->
<script nonce="incorrectscriptnonce" src="file_CSP.sjs?testid=external_script_incorrect_nonce_correct_uri_good&type=text/javascript"></script>
<!-- This external script has no nonce and comes from a allowlisted URI. It should be allowed. -->
<script src="file_CSP.sjs?testid=external_script_no_nonce_correct_uri_good&type=text/javascript"></script>
<!-- inline styles -->
<ol>
<li id=inline-style-correct-nonce>
(inline style with correct nonce) This text should be green
</li>
<li id=inline-style-incorrect-nonce>
(inline style with incorrect nonce) This text should be black
</li>
<li id=inline-style-correct-script-nonce>
(inline style with correct script, not style, nonce) This text should be black
</li>
<li id=inline-style-no-nonce>
(inline style with no nonce) This text should be black
</li>
</ol>
<style nonce=correctstylenonce>
li#inline-style-correct-nonce { color: green; }
</style>
<style nonce=incorrectstylenonce>
li#inline-style-incorrect-nonce { color: red; }
</style>
<style nonce=correctscriptnonce>
li#inline-style-correct-script-nonce { color: red; }
</style>
<style>
li#inline-style-no-nonce { color: red; }
</style>
</body>
</html>
|
