| <!DOCTYPE html> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc'"> |
| <script src="/resources/testharness.js" nonce="abc"></script> |
| <script src="/resources/testharnessreport.js" nonce="abc"></script> |
| |
| <!-- Parser-inserted script --> |
| <script nonce="abc"> |
| internals.registerURLSchemeAsBypassingContentSecurityPolicy('http'); |
| </script> |
| <script id="test1" src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t1"></script> |
| <script nonce="abc"> |
| test(t => { |
| assert_equals(document.querySelector("#test1").getAttribute("loaded"), null); |
| }, "Parser-inserted scripts do not bypass."); |
| </script> |
| |
| <!-- Non-parser-inserted script --> |
| <script nonce="abc"> |
| internals.registerURLSchemeAsBypassingContentSecurityPolicy('http'); |
| async_test(t => { |
| var s = document.createElement("script"); |
| s.id = "test2"; |
| s.src = "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-set-attribute.js?t2"; |
| s.onerror = t.unreached_func("The script should execute."); |
| s.onload = t.step_func_done(_ => { |
| assert_equals(s.getAttribute("loaded"), "true"); |
| }); |
| document.head.appendChild(s); |
| }, "Parser-inserted scripts do not bypass."); |
| </script> |
| |
| <!-- Cleanup --> |
| <script nonce="abc"> |
| add_completion_callback(_ => { |
| internals.removeURLSchemeRegisteredAsBypassingContentSecurityPolicy('http'); |
| }); |
| </script> |