1 files changed, 72 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html b/testing/web-platform/tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
new file mode 100644
index 0000000000..b082b55e21
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/scripthash-unicode-normalization.sub.html
@@ -0,0 +1,72 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
+    <title>scripthash-unicode-normalization</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+</head>
+
+<body>
+    <!-- The following two scripts contain two separate code points (U+00C5
+        and U+212B, respectively) which, depending on your text editor, might be
+        rendered the same.However, their difference is important because, under
+        NFC normalization, they would become the same code point, which would be
+        against the spec. This test, therefore, validates that the scripts have
+        *different* hash values. -->
+    <script nonce="nonceynonce">
+      var t_spv = async_test("Should fire securitypolicyviolation");
+      window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
+          assert_equals(e.violatedDirective, "script-src-elem");
+      }));
+
+      var matchingContent = 'Å';
+      var nonMatchingContent = 'Å';
+
+      // This script should have a hash value of
+      // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
+      var scriptContent1 = "window.finish('" + matchingContent + "');";
+
+      // This script should have a hash value of
+      // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
+      var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
+
+      var script1 = document.createElement('script');
+      var script2 = document.createElement('script');
+
+      script1.test = async_test("Only matching content runs even with NFC normalization.");
+
+      var failure = function() {
+        assert_unreached();
+      }
+
+      window.finish = function(content) {
+        if (content == matchingContent) {
+          script1.test.step(function() {
+            script1.test.done();
+          });
+        } else {
+          script1.test.step(function() {
+            assert_unreached("nonMatchingContent script ran");
+          });
+        }
+      }
+
+      script1.onerror = failure;
+
+      document.body.appendChild(script2);
+      script2.textContent = scriptContent2;
+      document.body.appendChild(script1);
+      script1.textContent = scriptContent1;
+    </script>
+
+    <p>
+        This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
+    </p>
+    <div id="log"></div>
+</body>
+
+</html>