LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_whitelist.sub.html - WebKit - Git at Google

 <!DOCTYPE HTML>
 <html>

 <head>
     <title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>

     <!-- CSP served:
     1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
     2) Content-Security-Policy: script-src 'self' 'nonce-dummy'
     -->
 </head>

 <body>
     <h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
     <div id='log'></div>

     <script nonce='dummy'>
         async_test(function(t) {
             window.addEventListener('message', t.step_func(function(e) {
                 if (e.data === 'whitelisted-appendChild') {
                     t.done();
                 }
             }));
             window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
                 if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') {
                     return;
                 }
                 assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
             }));

             var e = document.createElement('script');
             e.id = 'whitelisted-appendChild';
             e.src = 'simpleSourcedScript.js?' + e.id;
             e.onerror = t.unreached_func('Error should not be triggered.');
             document.body.appendChild(e);
         }, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
     </script>

     <script nonce='dummy'>
         async_test(function(t) {
             window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
                 if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
                     return;
                 }
                 assert_equals(violation.effectiveDirective, 'script-src-elem');
                 assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
                 t.done();
             }));

             var e = document.createElement('script');
             e.id = 'nonWhitelisted-appendChild';
             e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
             e.onload = t.unreached_func('OnLoad should not be triggered.');
             document.body.appendChild(e);
         }, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.');
     </script>
 </body>

 </html>
	<!DOCTYPE HTML>
	<html>

	<head>
	<title>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</title>
	<script src='/resources/testharness.js' nonce='dummy'></script>
	<script src='/resources/testharnessreport.js' nonce='dummy'></script>

	<!-- CSP served:
	1) Content-Security-Policy: script-src 'strict-dynamic' 'nonce-dummy'
	2) Content-Security-Policy: script-src 'self' 'nonce-dummy'
	-->
	</head>

	<body>
	<h1>Whitelists in a separate policy are honored with `strict-dynamic` in the script-src directive.</h1>
	<div id='log'></div>

	<script nonce='dummy'>
	async_test(function(t) {
	window.addEventListener('message', t.step_func(function(e) {
	if (e.data === 'whitelisted-appendChild') {
	t.done();
	}
	}));
	window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
	if (violation.blockedURI.split('?')[1] !== 'whitelisted-appendChild') {
	return;
	}
	assert_unreached('Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
	}));

	var e = document.createElement('script');
	e.id = 'whitelisted-appendChild';
	e.src = 'simpleSourcedScript.js?' + e.id;
	e.onerror = t.unreached_func('Error should not be triggered.');
	document.body.appendChild(e);
	}, 'Script injected via `appendChild` is allowed with `strict-dynamic` + a nonce+whitelist double policy.');
	</script>

	<script nonce='dummy'>
	async_test(function(t) {
	window.addEventListener('securitypolicyviolation', t.step_func(function(violation) {
	if (violation.blockedURI.split('?')[1] !== 'nonWhitelisted-appendChild') {
	return;
	}
	assert_equals(violation.effectiveDirective, 'script-src-elem');
	assert_equals(violation.originalPolicy, "script-src 'self' 'nonce-dummy'");
	t.done();
	}));

	var e = document.createElement('script');
	e.id = 'nonWhitelisted-appendChild';
	e.src = '{{location[scheme]}}://{{domains[www2]}}:{{ports[http][0]}}/nonexisting.js?' + e.id;
	e.onload = t.unreached_func('OnLoad should not be triggered.');
	document.body.appendChild(e);
	}, 'Non-whitelisted script injected via `appendChild` is not allowed with `strict-dynamic` + a nonce+whitelist double policy.');
	</script>
	</body>

	</html>