File: preload-strict-dynamic.html

package info (click to toggle)
firefox-esr 68.10.0esr-1~deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 3,143,932 kB
  • sloc: cpp: 5,227,879; javascript: 4,315,531; ansic: 2,467,042; python: 794,975; java: 349,993; asm: 232,034; xml: 228,320; sh: 82,008; lisp: 41,202; makefile: 22,347; perl: 15,555; objc: 5,277; cs: 4,725; yacc: 1,778; ada: 1,681; pascal: 1,673; lex: 1,417; exp: 527; php: 436; ruby: 225; awk: 162; sed: 53; csh: 44
file content (54 lines) | stat: -rw-r--r-- 2,115 bytes parent folder | download | duplicates (10) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
<!DOCTYPE html>
<head>
<script src="/resources/testharness.js" nonce="123"></script>
<script src="/resources/testharnessreport.js" nonce="123"></script>
<title>CSP strict-dynamic + preload</title>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" />
</head>
<body>
<link id="static-no-nonce" href="resources/dummy.js?static-no-nonce" rel=preload as=script>
<link id="static-nonce" href="resources/dummy.js?static-nonce" rel=preload as=script nonce="123">
<script nonce="123">
  let counter = 0;
  let cspViolation = false;
  let isLoaded = (url) => {
    let entries = performance.getEntriesByType("resource");
    for (let entry of entries) {
      if (entry.name.indexOf(url) != -1 ) {
        return true;
      }
    }
    return false;
  }
  window.addEventListener("securitypolicyviolation", (e) => {
    counter++;
    if (e.violatedDirective == "script-src-elem" && e.blockedURI.includes("static-no-nonce")) {
      cspViolation = true;
    }
  });
  let link = document.createElement("link");
  link.rel = "preload";
  link.href = "resources/dummy.js?dynamic-nonce";
  link.as = "script";
  link.onload = () => { ++counter; };
  document.head.appendChild(link);
  link = document.getElementById("static-no-nonce");
  link.addEventListener("error", () => { ++counter; });
  link = document.getElementById("static-nonce");
  link.addEventListener("load", () => { ++counter; });
  let t = async_test('preload from nonced script should work with strict-dynamic. preloaded script from markup should not.');
  let timerCounter = 0;
  setInterval(t.step_func(() => {
    if (counter >= 4 || timerCounter > 5) {
      assert_true(isLoaded("dynamic-nonce"), "dynamic inserted preload script should have been loaded");
      assert_true(isLoaded("static-nonce"), "preload tag with a nonce should have been loaded");
      assert_false(isLoaded("static-no-nonce"), "preload tag without a nonce should not have been loaded");
      assert_true(cspViolation, "CSP violation should have fired");
      t.done();
    }
    ++timerCounter;
  }), 100);

</script>
</body>
</html>