| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-nonce' *; connect-src 'self';"> |
| <title>script-src disallowed wildcard use</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| </head> |
| <body> |
| <script nonce="nonce"> |
| var t1 = async_test('data: URIs should not match *'); |
| t1.step(function() { |
| var script = document.createElement("script"); |
| script.src = 'data:application/javascript,'; |
| script.addEventListener('load', t1.step_func(function() { |
| assert_unreached('Should not successfully load data URI.'); |
| })); |
| script.addEventListener('error', t1.step_func(function() { |
| t1.done(); |
| })); |
| document.head.appendChild(script); |
| }); |
| |
| var t2 = async_test('blob: URIs should not match *'); |
| t2.step(function() { |
| var b = new Blob([''], { type: 'application/javascript' }); |
| var script = document.createElement('script'); |
| script.addEventListener('load', t2.step_func(function() { |
| assert_unreached('Should not successfully load blob URI.'); |
| })); |
| script.addEventListener('error', t2.step_func(function() { |
| t2.done(); |
| })); |
| |
| script.src = URL.createObjectURL(b); |
| document.head.appendChild(script); |
| }); |
| |
| var t3 = async_test('filesystem URIs should not match *'); |
| if (window.webkitRequestFileSystem) { |
| window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) { |
| fs.root.getFile('fail.js', {create: true}, function(fileEntry) { |
| fileEntry.createWriter(function(fileWriter) { |
| var script = document.createElement('script'); |
| |
| script.addEventListener('load', t3.step_func(function() { |
| assert_unreached('Should not successfully load filesystem URI.'); |
| })); |
| script.addEventListener('error', t3.step_func(function() { |
| t3.done(); |
| })); |
| |
| script.src = fileEntry.toURL('application/javascript'); |
| document.body.appendChild(script); |
| }); |
| }); |
| }); |
| } else { |
| t3.done(); |
| } |
| </script> |
| </body> |
| </html> |