<?php
header("Content-Security-Policy: script-src 'self' 'nonce-abc'");
header("Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'self'");
?>
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script nonce="abc">
async_test(t => {
var watcher = new EventWatcher(t, document, ['securitypolicyviolation','securitypolicyviolation']);
watcher
.wait_for('securitypolicyviolation')
.then(t.step_func(e => {
assert_equals(e.blockedURI, "inline");
assert_equals(e.lineNumber, 23);
return watcher.wait_for('securitypolicyviolation');
}))
.then(t.step_func_done(e => {
assert_equals(e.blockedURI, "inline");
assert_equals(e.lineNumber, 26);
}));
}, "Unnonced script blocks generate reports.");
var executed_test = async_test("Nonced script executes, and does not generate a violation report.");
var unexecuted_test = async_test("Blocks without correct nonce do not execute, and generate violation reports");
</script>
<script>
unexecuted_test.assert_unreached("This code block should not execute.");
</script>
<script nonce="xyz">
unexecuted_test.assert_unreached("This code block should not execute.");
</script>
<script nonce="abc">
executed_test.done();
unexecuted_test.done();
</script>
Codebase Browser
chromium