scripthash-changed-1.html

Enable keyboard shortcuts

This test has a WPT meta file that expects 1 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /content-security-policy/script-src/scripthash-changed-1.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<head>

    <title>CSP inline script check is done at #prepare-a-script (hash)</title>

    <script src="/resources/testharness.js"></script>

    <script src="/resources/testharnessreport.js"></script>

    <!--

      'log1 += 'scr1 at #prepare-a-script';' => 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s=' (allowed)

      'log1 += 'scr1 at #execute-the-script-block';' => 'sha256-Vtap5AhPN9kbQAbWqObJexCvNDexqoIwo4XsABQBqcg=' (blocked)

-->

    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s='"></meta>

</head>

<!--

  "Should element's inline behavior be blocked by Content Security Policy?"

  is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script,

  not at https://html.spec.whatwg.org/C/#execute-the-script-block.

  So when innerText is modified after #prepare-a-script, the text BEFORE

  the modification is used for hash check.

-->

<script nonce="abc">

let log1 = '';

</script>

<!--  Execution order:

  async script is executed

  -> stylesheet is loaded

  -> inline script is executed. -->

<link rel="stylesheet" href="support/empty.css?dummy=1&pipe=trickle(d2)" type="text/css">

<script src="support/change-scripthash-before-execute.js?dummy=1&pipe=trickle(d1)" async></script>

<script id="scr1">log1 += 'scr1 at #prepare-a-script';</script>

<script nonce="abc">

test(() => {

  assert_equals(log1, 'scr1 at #prepare-a-script');

}, 'scr1.innerText before modification should not be blocked');

</script>