Codebase Browser
chromium
Go to App

chromium/third_party/blink/web_tests/http/tests/security/contentSecurityPolicy/strict-dynamic/script-src-strict-dynamic-allowed.html 

<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcdefg' 'strict-dynamic' http://localhost:8000">
    <script src="/resources/testharness.js" nonce="abcdefg"></script>
    <script src="/resources/testharnessreport.js" nonce="abcdefg"></script>
    <script src="../resources/securitypolicyviolation-helper.js" nonce="abcdefg"></script>
</head>
<body>
    <!-- Need to individually wrap test cases in script blocks. Violation reports triggered by document.write() calls while the parser is waiting on blocking scipts are missing line numbers. See: https://crbug.com/649085. -->
    <script nonce="abcdefg">
        async_test(function (t) {
          assert_script_failed(t, generateURL("write"), 14);
          document.write("<scr" + "ipt src='" + generateURL("write") + "'></scr" + "ipt>");
        }, "Script injected via 'document.write' is not allowed with 'strict-dynamic', even if whitelisted.");
    </script>
    <script nonce="abcdefg">
        async_test(function (t) {
          assert_script_failed(t, generateURL("write-defer"), 20);
          document.write("<scr" + "ipt defer src='" + generateURL("write-defer") + "'></scr" + "ipt>");
        }, "Deferred script injected via 'document.write' is not allowed with 'strict-dynamic', even if whitelisted.");
    </script>
    <script nonce="abcdefg">
        async_test(function (t) {
          assert_script_failed(t, generateURL("write-async"), 26);
          document.write("<scr" + "ipt async src='" + generateURL("write-async") + "'></scr" + "ipt>");
        }, "Async script injected via 'document.write' is not allowed with 'strict-dynamic', even if whitelisted.");
    </script>
</body>
</html>