1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
<!DOCTYPE html>
<html>
<head>
<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
<title>scripthash-unicode-normalization</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<!-- The following two scripts contain two separate code points (U+00C5
and U+212B, respectively) which, depending on your text editor, might be
rendered the same.However, their difference is important because, under
NFC normalization, they would become the same code point, which would be
against the spec. This test, therefore, validates that the scripts have
*different* hash values. -->
<script nonce="nonceynonce">
var t_spv = async_test("Should fire securitypolicyviolation");
window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
assert_equals(e.violatedDirective, "script-src-elem");
}));
var matchingContent = 'Å';
var nonMatchingContent = 'Å';
// This script should have a hash value of
// sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
var scriptContent1 = "window.finish('" + matchingContent + "');";
// This script should have a hash value of
// sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
var script1 = document.createElement('script');
var script2 = document.createElement('script');
script1.test = async_test("Only matching content runs even with NFC normalization.");
var failure = function() {
assert_unreached();
}
window.finish = function(content) {
if (content == matchingContent) {
script1.test.step(function() {
script1.test.done();
});
} else {
script1.test.step(function() {
assert_unreached("nonMatchingContent script ran");
});
}
}
script1.onerror = failure;
document.body.appendChild(script2);
script2.textContent = scriptContent2;
document.body.appendChild(script1);
script1.textContent = scriptContent1;
</script>
<p>
This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
</p>
<div id="log"></div>
</body>
</html>
|