| <!DOCTYPE html> |
| <html> |
| |
| <head> |
| <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';"> |
| <title>scripthash-unicode-normalization</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> |
| </head> |
| |
| <body> |
| <!-- The following two scripts contain two separate code points (U+00C5 |
| and U+212B, respectively) which, depending on your text editor, might be |
| rendered the same.However, their difference is important because, under |
| NFC normalization, they would become the same code point, which would be |
| against the spec. This test, therefore, validates that the scripts have |
| *different* hash values. --> |
| <script nonce="nonceynonce"> |
| var t_spv = async_test("Should fire securitypolicyviolation"); |
| window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) { |
| assert_equals(e.violatedDirective, "script-src-elem"); |
| })); |
| |
| var matchingContent = 'Å'; |
| var nonMatchingContent = 'Å'; |
| |
| // This script should have a hash value of |
| // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c= |
| var scriptContent1 = "window.finish('" + matchingContent + "');"; |
| |
| // This script should have a hash value of |
| // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM= |
| var scriptContent2 = "window.finish('" + nonMatchingContent + "');"; |
| |
| var script1 = document.createElement('script'); |
| var script2 = document.createElement('script'); |
| |
| script1.test = async_test("Only matching content runs even with NFC normalization."); |
| |
| var failure = function() { |
| assert_unreached(); |
| } |
| |
| window.finish = function(content) { |
| if (content == matchingContent) { |
| script1.test.step(function() { |
| script1.test.done(); |
| }); |
| } else { |
| script1.test.step(function() { |
| assert_unreached("nonMatchingContent script ran"); |
| }); |
| } |
| } |
| |
| script1.onerror = failure; |
| |
| document.body.appendChild(script2); |
| script2.textContent = scriptContent2; |
| document.body.appendChild(script1); |
| script1.textContent = scriptContent1; |
| </script> |
| |
| <p> |
| This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken. |
| </p> |
| <div id="log"></div> |
| </body> |
| |
| </html> |