| <!DOCTYPE html> |
| <head> |
| <title>CSP inline script check is done at #prepare-a-script (hash)</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <!-- |
| 'log1 += 'scr1 at #prepare-a-script';' => 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s=' (allowed) |
| 'log1 += 'scr1 at #execute-the-script-block';' => 'sha256-Vtap5AhPN9kbQAbWqObJexCvNDexqoIwo4XsABQBqcg=' (blocked) |
| --> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-sI+xsvqqUw0LQQGgsgkYoXKWhlGgaCqsqVbPx0Z2A4s='"></meta> |
| </head> |
| <!-- |
| "Should element's inline behavior be blocked by Content Security Policy?" |
| is executed at the time of https://html.spec.whatwg.org/C/#prepare-a-script, |
| not at https://html.spec.whatwg.org/C/#execute-the-script-block. |
| So when innerText is modified after #prepare-a-script, the text BEFORE |
| the modification is used for hash check. |
| --> |
| <script nonce="abc"> |
| let log1 = ''; |
| </script> |
| |
| <!-- Execution order: |
| async script is executed |
| -> stylesheet is loaded |
| -> inline script is executed. --> |
| <link rel="stylesheet" href="support/empty.css?dummy=1&pipe=trickle(d2)" type="text/css"> |
| <script src="support/change-scripthash-before-execute.js?dummy=1&pipe=trickle(d1)" async></script> |
| <script id="scr1">log1 += 'scr1 at #prepare-a-script';</script> |
| |
| <script nonce="abc"> |
| test(() => { |
| assert_equals(log1, 'scr1 at #prepare-a-script'); |
| }, 'scr1.innerText before modification should not be blocked'); |
| </script> |