summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/script-src/scripthash-changed-2.html
blob: 927d60a8d78fcf531970793ac7778c895d4f8167 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<!DOCTYPE html>
<head>
    <title>CSP inline script check is done at #prepare-a-script (hash)</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
    <!--
      'log2 += 'scr2 at #prepare-a-script';' => 'sha256-9vE5NuHfEDoLvk3nPZPDX2/mnG+ZwKhpPuwQZwCDGc4=' (blocked)
      'log2 += 'scr2 at #execute-the-script-block';' => 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw=' (allowed)
    -->
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-3AdhWTFuyxSUPxmqpTJaFRx3R5WNcyGw57lFoj1rTXw='"></meta>
</head>
<!--
  "Should element's inline behavior be blocked by Content Security Policy?"
  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
  not at https://html.spec.whatwg.org/C/#execute-the-script-block.
  So when innerText is modified after #prepare-a-script, the text BEFORE
  the modification is used for hash check.
-->
<script nonce="abc">
let log2 = '';
</script>

<!--  Execution order:
  async script is executed
  -> stylesheet is loaded
  -> inline script is executed. -->
<link rel="stylesheet" href="support/empty.css?dummy=2&pipe=trickle(d2)" type="text/css">
<script src="support/change-scripthash-before-execute.js?dummy=2&pipe=trickle(d1)" async></script>
<script id="scr2">log2 += 'scr2 at #prepare-a-script';</script>

<script nonce="abc">
test(() => {
  assert_equals(log2, '');
}, 'scr2.innerText before modification should be blocked');
</script>