File: script-src-strict_dynamic_javascript_uri.html

package info (click to toggle)

firefox 147.0.2-1

links: PTS, VCS
area: main
in suites: sid
size: 4,683,484 kB
sloc: cpp: 7,607,246; javascript: 6,533,185; ansic: 3,775,227; python: 1,415,393; xml: 634,561; asm: 438,951; java: 186,241; sh: 62,752; makefile: 18,079; objc: 13,092; perl: 12,808; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10; exp: 6

file content (32 lines) | stat: -rw-r--r-- 1,130 bytes

parent folder | download | duplicates (27)

<!DOCTYPE HTML>
<html>

<head>
    <title>Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.</title>
    <script src='/resources/testharness.js' nonce='dummy'></script>
    <script src='/resources/testharnessreport.js' nonce='dummy'></script>

    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' -->
</head>

<body>
    <h1>Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.</h1>
    <div id='log'></div>
    <a id='javascriptUri' href='javascript:javascriptUriScriptRan = true;'></a>

    <script nonce='dummy'>
        var javascriptUriScriptRan = false;

        async_test(function(t) {
            window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
                assert_false(javascriptUriScriptRan);
                assert_equals(e.effectiveDirective, 'script-src-elem');
            }));

            document.getElementById('javascriptUri').click();
            assert_false(javascriptUriScriptRan);
        }, "Script injected via `javascript:` URIs are not allowed with `strict-dynamic`.");
    </script>
</body>

</html>