1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
<!DOCTYPE html>
<meta charset="utf-8">
<title>import() inside compiled strings uses the appropriate nonce inside a classic script</title>
<link rel="author" title="Domenic Denicola" href="mailto:d@domenic.me">
<meta http-equiv="content-security-policy" content="script-src 'nonce-correct' 'unsafe-eval' 'unsafe-hashes' 'sha256-cAMzxBL19bKt4KwKGbxy/ZOFIIjH5AmRjlVbsD5pvNw=' 'sha256-3VjoJYNK/9HJMS8rrZHlqSZgUssDY+GPyc7AU8lNM3k='">
<script nonce="correct" src="/resources/testharness.js"></script>
<script nonce="correct" src="/resources/testharnessreport.js"></script>
<div id="dummy"></div>
<script nonce="correct">
"use strict";
const dummyDiv = document.querySelector("#dummy");
function createTestPromise(t) {
t.add_cleanup(() => {
delete window.evaluated_imports_a;
delete window.unreached;
delete window.continueTest;
delete window.errorTest;
});
return new Promise((resolve, reject) => {
window.unreached = t.unreached_func("Must not reach this");
window.continueTest = resolve;
window.errorTest = reject;
});
}
function assertSuccessful(module) {
assert_true(window.evaluated_imports_a, "The module must have been evaluated");
assert_equals(module.A.from, "imports-a.js", "The module namespace object must be correct");
}
promise_test(t => {
const promise = createTestPromise(t);
setTimeout(`import('../imports-a.js?label=setTimeout').then(window.continueTest, window.errorTest)`, 0);
return promise.then(assertSuccessful);
}, "setTimeout must inherit the nonce from the triggering script, thus execute");
promise_test(t => {
const promise = createTestPromise(t);
eval(`import('../imports-a.js?label=direct eval').then(window.continueTest, window.errorTest)`);
return promise.then(assertSuccessful);
}, "direct eval must inherit the nonce from the triggering script, thus execute");
promise_test(t => {
const promise = createTestPromise(t);
const evalAlias = eval;
evalAlias(`import('../imports-a.js?label=indirect eval').then(window.continueTest, window.errorTest)`);
return promise.then(assertSuccessful);
}, "indirect eval must inherit the nonce from the triggering script, thus execute");
promise_test(t => {
const promise = createTestPromise(t);
Function(`import('../imports-a.js?label=the Function constructor').then(window.continueTest, window.errorTest)`)();
return promise.then(assertSuccessful);
}, "the Function constructor must inherit the nonce from the triggering script, thus execute");
promise_test(t => {
t.add_cleanup(() => {
dummyDiv.removeAttribute("onclick");
});
const promise = createTestPromise(t);
// This only works because of the 'unsafe-hashes' and the hash in the CSP policy
dummyDiv.setAttribute(
"onclick",
`import('../imports-a.js?label=reflected inline event handlers').then(window.continueTest, window.errorTest)`
);
dummyDiv.onclick();
return promise_rejects_js(t, TypeError, promise);
}, "reflected inline event handlers must not inherit the nonce from the triggering script, thus fail");
promise_test(t => {
t.add_cleanup(() => {
dummyDiv.removeAttribute("onclick");
});
const promise = createTestPromise(t);
// This only works because of the 'unsafe-hashes' and the hash in the CSP policy
dummyDiv.setAttribute(
"onclick",
`import('../imports-a.js?label=inline event handlers triggered via UA code').then(window.continueTest, window.errorTest)`
);
assert_equals(typeof dummyDiv.onclick, "function", "the browser must be able to parse a string containing the import() syntax into a function");
dummyDiv.click(); // different from **on**click()
return promise_rejects_js(t, TypeError, promise);
}, "inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail");
</script>
|
