summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta.sub.html
blob: 870fef316eae9ca2fc5ab1182f746cfa6487cb05 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>

<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'">

<body>
<!-- Basics -->
<svg xmlns="http://www.w3.org/2000/svg">
  <script nonce="abc" id="testScript">
    document.currentScript.setAttribute('executed', 'yay');
  </script>
</svg>

<script nonce="abc">
    var script = document.querySelector('#testScript');

    test(t => {
      // Query Selector
      assert_equals(document.querySelector('[nonce]'), script);
      assert_equals(document.querySelector('[nonce=""]'), null);
      assert_equals(document.querySelector('[nonce=abc]'), script);

      assert_equals(script.getAttribute('nonce'), 'abc');
      assert_equals(script.nonce, 'abc');
    }, "Reading 'nonce' content attribute and IDL attribute.");

    // Clone node.
    test(t => {
      script.setAttribute('executed', 'boo');
      var s2 = script.cloneNode();
      assert_equals(s2.nonce, 'abc', 'IDL attribute');
      assert_equals(s2.getAttribute('nonce'), 'abc');
    }, "Cloned node retains nonce.");

    async_test(t => {
      var s2 = script.cloneNode();
      document.head.appendChild(s2);
      assert_equals(s2.nonce, 'abc');
      assert_equals(s2.getAttribute('nonce'), 'abc');

      window.addEventListener('load', t.step_func_done(_ => {
        // The cloned script won't execute, as its 'already started' flag is set.
        assert_equals(s2.getAttribute('executed'), 'boo');
      }));
    }, "Cloned node retains nonce when inserted.");

    // Set the content attribute to 'foo'
    test(t => {
      script.setAttribute('nonce', 'foo');
      assert_equals(script.getAttribute('nonce'), 'foo');
      assert_equals(script.nonce, 'foo');
    }, "Writing 'nonce' content attribute.");

    // Set the IDL attribute to 'bar'
    test(t => {
      script.nonce = 'bar';
      assert_equals(script.nonce, 'bar');
      assert_equals(script.getAttribute('nonce'), 'foo');
    }, "Writing 'nonce' IDL attribute.");

    // Fragment parser.
    var documentWriteTest = async_test("Document-written script executes.");
    document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
      documentWriteTest.done();
      test(t => {
        var script = document.currentScript;
        assert_equals(script.getAttribute('nonce'), 'abc');
        assert_equals(script.nonce, 'abc');
      }, "Document-written script's nonce value.");
    </scr` + `ipt></svg>`);

    // Create node.
    test(t => {
      var s = document.createElement('svg');
      var innerScript = document.createElement('innerScript');
      innerScript.innerText = script.innerText;
      innerScript.nonce = 'abc';
      s.appendChild(innerScript);
      assert_equals(innerScript.nonce, 'abc');
      assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce');
      document.body.appendChild(s);
      assert_equals(innerScript.nonce, 'abc');
      assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce');
    }, "createElement.nonce.");

    // Create node.
    test(t => {
      var s = document.createElement('svg');
      var innerScript = document.createElement('script');
      innerScript.innerText = script.innerText;
      innerScript.setAttribute('nonce', 'abc');
      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content");
      assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL");
      s.appendChild(innerScript);
      document.body.appendChild(s);
      assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Post-insertion content");
    }, "createElement.setAttribute.");
</script>