Bug 1316826 - Test for JS URLs and strict-dynamic. r=dveditz

MozReview-Commit-ID: EKmYoZbap25
This commit is contained in:
Frederik Braun 2016-11-28 21:56:55 -05:00
parent 76e256d114
commit 29efcb86ac
3 changed files with 23 additions and 1 deletions

View File

@ -0,0 +1,15 @@
<!DOCTYPE HTML>
<html>
<head>
<title>Bug 1316826 - 'strict-dynamic' blocking DOM event handlers</title>
</head>
<body>
<div id="testdiv">blocked</div>
<a id="jslink" href='javascript:document.getElementById("testdiv").innerHTML = "allowed"'>click me</a>
<script nonce="foo">
document.getElementById("jslink").click();
</script>
</body>
</html>

View File

@ -189,6 +189,7 @@ support-files =
file_upgrade_insecure_docwrite_iframe.sjs
file_data-uri_blocked.html
file_data-uri_blocked.html^headers^
file_strict_dynamic_js_url.html
file_strict_dynamic_script_events.html
file_strict_dynamic_script_events_xbl.html
file_strict_dynamic_script_inline.html

View File

@ -84,7 +84,13 @@ var tests = [
result: "blocked",
file: "file_strict_dynamic_script_events_xbl.html",
policy: "script-src 'strict-dynamic' 'nonce-foo'"
}
},
{
desc: "strict-dynamic with JS URLs should be blocked",
result: "blocked",
file: "file_strict_dynamic_js_url.html",
policy: "script-src 'strict-dynamic' 'nonce-foo'"
},
];
var counter = 0;