1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
<!DOCTYPE html>
<head>
<title>CSP inline script check is done at #prepare-a-script (nonce)</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-deadbeef'"></meta>
</head>
<!--
"Should element's inline behavior be blocked by Content Security Policy?"
is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,
not at https://html.spec.whatwg.org/C/#execute-the-script-block.
So when nonce is modified after #prepare-a-script, the nonce BEFORE
the modification is used for hash check.
-->
<script nonce="abc">
let log1 = '';
</script>
<!-- Execution order:
async script is executed
-> stylesheet is loaded
-> inline script is executed. -->
<link rel="stylesheet" href="support/empty.css?dummy=3&pipe=trickle(d2)" type="text/css">
<script src="support/change-scriptnonce-before-execute.js?dummy=3&pipe=trickle(d1)" async></script>
<script id="scr1" nonce="abc">log1 += 'scr1 executed';</script>
<script nonce="abc">
test(() => {
assert_equals(log1, 'scr1 executed');
}, 'scr1 nonce before modification should not be blocked');
</script>
|
