<!DOCTYPE html> <script src="/resources/testharness.js" nonce="abc"></script> <script src="/resources/testharnessreport.js" nonce="abc"></script> <!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers --> <body> <!-- Basics --> <svg xmlns="http://www.w3.org/2000/svg"> <script nonce="abc" id="testScript"> document.currentScript.setAttribute('executed', 'yay'); </script> </svg> <script nonce="abc"> var script = document.querySelector('#testScript'); test(t => { // Query Selector assert_equals(document.querySelector('body [nonce]'), script); assert_equals(document.querySelector('body [nonce=""]'), script); assert_equals(document.querySelector('body [nonce=abc]'), null); assert_equals(script.getAttribute('nonce'), ''); assert_equals(script.nonce, 'abc'); }, "Reading 'nonce' content attribute and IDL attribute."); // Clone node. test(t => { script.setAttribute('executed', 'boo'); var s2 = script.cloneNode(); assert_equals(s2.nonce, 'abc', 'IDL attribute'); assert_equals(s2.getAttribute('nonce'), ''); }, "Cloned node retains nonce."); async_test(t => { var s2 = script.cloneNode(); document.head.appendChild(s2); assert_equals(s2.nonce, 'abc'); assert_equals(s2.getAttribute('nonce'), ''); window.addEventListener('load', t.step_func_done(_ => { // The cloned script won't execute, as its 'already started' flag is set. assert_equals(s2.getAttribute('executed'), 'boo'); })); }, "Cloned node retains nonce when inserted."); // Set the content attribute to 'foo' test(t => { script.setAttribute('nonce', 'foo'); assert_equals(script.getAttribute('nonce'), 'foo'); assert_equals(script.nonce, 'foo'); }, "Writing 'nonce' content attribute."); // Set the IDL attribute to 'bar' test(t => { script.nonce = 'bar'; assert_equals(script.nonce, 'bar'); assert_equals(script.getAttribute('nonce'), 'foo'); }, "Writing 'nonce' IDL attribute."); // Fragment parser. var documentWriteTest = async_test("Document-written script executes."); document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'> documentWriteTest.done(); test(t => { var script = document.currentScript; assert_equals(script.getAttribute('nonce'), ''); assert_equals(script.nonce, 'abc'); }, "Document-written script's nonce value."); </scr` + `ipt></svg>`); // Create node. test(t => { var s = document.createElement('svg'); var innerScript = document.createElement('script'); innerScript.innerText = script.innerText; innerScript.nonce = 'abc'; s.appendChild(innerScript); document.body.appendChild(s); assert_equals(innerScript.nonce, 'abc'); assert_equals(innerScript.getAttribute('nonce'), null); }, "createElement.nonce."); // Create node. test(t => { var s = document.createElement('svg'); var innerScript = document.createElement('script'); innerScript.innerText = script.innerText; innerScript.setAttribute('nonce', 'abc'); assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content"); assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL"); s.appendChild(innerScript); document.body.appendChild(s); assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL"); assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion content"); }, "createElement.setAttribute."); </script>