script-src-strict_dynamic_hashes.html

mozilla-central/testing/web-platform/tests/content-security-policy/script-src/script-src-strict_dynamic_hashes.html

Enable keyboard shortcuts

Source code

File a bug in Core :: DOM: Security

Revision control

Copy as Markdown

Other Tools

Test Info:

This WPT test may be referenced by the following Test IDs:
- /content-security-policy/script-src/script-src-strict_dynamic_hashes.html - WPT Dashboard Interop Dashboard

<!DOCTYPE HTML>

<html>

<head>

    <title>`strict-dynamic` allows scripts matching hashes present in the policy.</title>

    <script src='/resources/testharness.js' nonce='dummy'></script>

    <script src='/resources/testharnessreport.js' nonce='dummy'></script>

    <!-- CSP served: script-src 'strict-dynamic' 'nonce-dummy' 'sha256-yU6Q7nD1TCBB9JvY06iIJ8ONLOPU4g8ml5JCDgXkv+M=' 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' -->

</head>

<body>

    <h1>`strict-dynamic` allows scripts matching hashes present in the policy.</h1>

    <div id='log'></div>

    <script nonce='dummy'>

        var hashScriptRan = false;

        window.addEventListener('securitypolicyviolation', function(e) {

            assert_unreached('CSP violation reports should not fire.');

});

    </script>

    <!-- Hash: 'sha256-EEoi70frWHkGFhK51NVIJkXpq72aPxSCNZEow37ZmRA=' -->

    <script>

        hashScriptRan = true;

    </script>

    <script nonce='dummy'>

        async_test(function(t) {

            assert_true(hashScriptRan);

            t.done();

        }, "Script matching SHA256 hash is allowed with `strict-dynamic`.");

    </script>

    <!-- Hash: 'sha256-IFt1v6itHgqlrtInbPm/y7qyWcAlDbPgZM+92C5EZ5o=' -->

    <script>

        async_test(function(t) {

            window.addEventListener('message', t.step_func(function(e) {

                if (e.data === 'hashScript') {

                    t.done();

            }));

            var e = document.createElement('script');

            e.id = 'hashScript';

            e.src = 'simpleSourcedScript.js?' + e.id;

            e.onerror = t.unreached_func('Error should not be triggered.');

            document.body.appendChild(e);

        }, 'Script injected via `appendChild` from a script matching SHA256 hash is allowed with `strict-dynamic`.');

    </script>

    <script nonce='dummy'>

        var externalRan = false;

    </script>

    <script src='./externalScript.js'

        integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>

    <script nonce='dummy'>

        test(function(t) {

            assert_true(externalRan);

        }, "External script in a script tag with matching SRI hash is allowed with `strict-dynamic`.");

    </script>

</body>

</html>