Mercurial > mozilla-central / file revision / testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html@23763b72c35abeead04f63e4503c28abc73d065d
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
testing/web-platform/tests/content-security-policy/embedded-enforcement/subsumption_algorithm-nonces.html
author Sotaro Ikeda <sotaro.ikeda.g@gmail.com>
Thu, 10 Jul 2025 00:10:09 +0000 (5 hours ago)
changeset 795941 23763b72c35abeead04f63e4503c28abc73d065d
parent 535329 3664274742c13a240a1730a7787d3f2a0995d9ad
permissions -rw-r--r--
Bug 1976135 - Remove nightly only limitation of pref gfx.webrender.layer-compositor r=gfx-reviewers,gw Differential Revision: https://phabricator.services.mozilla.com/D256379
<!DOCTYPE html>
<html>
<head>
<title>Embedded Enforcement: Subsumption Algorithm - Nonces.</title>
  <script src="/resources/testharness.js"></script>
  <script src="/resources/testharnessreport.js"></script>
  <script src="support/testharness-helper.sub.js"></script>
</head>
<body>
  <script>
    var tests = [
      { "name": "Exact nonce subsumes.",
        "required_csp": "style-src 'nonce-abc'",
        "returned_csp_1": "style-src 'nonce-abc'",
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Any nonce subsumes.",
        "required_csp": "style-src 'nonce-abc'",
        "returned_csp_1": "style-src 'nonce-xyz'",
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "A nonce has to be returned if required by the embedder.",
        "required_csp": "style-src 'nonce-abc'",
        "returned_csp_1": "style-src http://example1.com/foo",
        "expected": IframeLoad.EXPECT_BLOCK },
      { "name": "Multiples nonces returned subsume.",
        "required_csp": "style-src 'nonce-abc'",
        "returned_csp_1": "style-src 'nonce-xyz' 'nonce-abc'",
        "expected": IframeLoad.EXPECT_LOAD },
      // nonce intersection
      { "name": "Nonce intersection is still done on exact match - non-matching nonces.",
        "required_csp": "style-src 'none'",
        "returned_csp_1": "style-src 'nonce-def'",
        "returned_csp_2": "style-src 'nonce-xyz'",
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Nonce intersection is still done on exact match - matching nonces.",
        "required_csp": "style-src 'none'",
        "returned_csp_1": "style-src 'nonce-def'",
        "returned_csp_2": "style-src 'nonce-def' 'nonce-xyz'",
        "expected": IframeLoad.EXPECT_BLOCK },
      // other expressions still have to work
      { "name": "Other expressions still have to be subsumed - positive test.",
        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
        "returned_csp_1": "style-src http://example1.com/foo/ 'nonce-xyz'",
        "expected": IframeLoad.EXPECT_LOAD },
      { "name": "Other expressions still have to be subsumed - negative test",
        "required_csp": "style-src http://example1.com/foo/ 'nonce-abc'",
        "returned_csp_1": "style-src http://not-example1.com/foo/ 'nonce-xyz'",
        "expected": IframeLoad.EXPECT_BLOCK },
    ];
    tests.forEach(test => {
      async_test(t =>  {
        var url = generateUrlWithPolicies(Host.CROSS_ORIGIN, test.returned_csp_1);
        if (test.returned_csp_2)
          url.searchParams.append("policy2", test.returned_csp_2);
        assert_iframe_with_csp(t, url, test.required_csp, test.expected, test.name, null);
      }, test.name);
    });
  </script>
</body>
</html>
mozilla-central
Deployed from 0549d7aefb93 at 2025-06-12T15:23:35Z.