1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
<!DOCTYPE HTML>
<html>
<head>
<title>`strict-dynamic` allows scripts matching hashes present in the policy.</title>
<script src='/resources/testharness.js' nonce='dummy'></script>
<script src='/resources/testharnessreport.js' nonce='dummy'></script>
<!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->
</head>
<body>
<h1>`strict-dynamic` allows scripts matching hashes present in the policy.</h1>
<div id='log'></div>
<script nonce='dummy'>
var hashScriptRan = false;
window.addEventListener('securitypolicyviolation', function(e) {
assert_unreached('CSP violation reports should not fire.');
});
</script>
<!-- Hash: 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->
<script>
hashScriptRan = true;
</script>
<script nonce='dummy'>
async_test(function(t) {
assert_true(hashScriptRan);
t.done();
}, "Script matching SHA256 hash is allowed with `strict-dynamic`.");
</script>
<!-- Hash: 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' -->
<script>
async_test(function(t) {
window.addEventListener('message', t.step_func(function(e) {
if (e.data === 'hashScript') {
t.done();
}
}));
var e = document.createElement('script');
e.id = 'hashScript';
e.src = 'simpleSourcedScript.js?' + e.id;
e.onerror = t.unreached_func('Error should not be triggered.');
document.body.appendChild(e);
}, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.');
</script>
</body>
</html>
|
