aboutsummaryrefslogtreecommitdiffstats
path: root/test/data
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2019-01-14 19:29:54 +0100
committerGitHub <noreply@github.com>2019-01-14 19:29:54 +0100
commitc7c2855ed13f23322c4064407c1ed84561b95738 (patch)
tree0bae25a4dd554f3066fdc1df65ecf6ea43d81752 /test/data
parent9cb162f6b62b6d4403060a0f0d2065d3ae96bbcc (diff)
downloadjquery-c7c2855ed13f23322c4064407c1ed84561b95738.tar.gz
jquery-c7c2855ed13f23322c4064407c1ed84561b95738.zip
Core: Preserve CSP nonce on scripts in DOM manipulation
Fixes gh-3541 Closes gh-4269
Diffstat (limited to 'test/data')
-rw-r--r--test/data/csp-nonce.html13
-rw-r--r--test/data/csp-nonce.js8
-rw-r--r--test/data/mock.php8
3 files changed, 29 insertions, 0 deletions
diff --git a/test/data/csp-nonce.html b/test/data/csp-nonce.html
new file mode 100644
index 000000000..d35c33fc4
--- /dev/null
+++ b/test/data/csp-nonce.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>CSP nonce Test Page</title>
+ <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="csp-nonce.js"></script>
+</head>
+<body>
+ <p>CSP nonce Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-nonce.js b/test/data/csp-nonce.js
new file mode 100644
index 000000000..507e87e68
--- /dev/null
+++ b/test/data/csp-nonce.js
@@ -0,0 +1,8 @@
+/* global startIframeTest */
+
+jQuery( function() {
+ var script = document.createElement( "script" );
+ script.setAttribute( "nonce", "jquery+hardcoded+nonce" );
+ script.innerHTML = "startIframeTest()";
+ $( document.head ).append( script );
+} );
diff --git a/test/data/mock.php b/test/data/mock.php
index 79110dc45..7e6aa1bec 100644
--- a/test/data/mock.php
+++ b/test/data/mock.php
@@ -198,6 +198,14 @@ ok( true, "mock executed");';
echo file_get_contents( __DIR__ . '/csp.include.html' );
}
+ protected function cspNonce( $req ) {
+ // This is CSP only for browsers with "Content-Security-Policy" header support
+ // i.e. no old WebKit or old Firefox
+ header( "Content-Security-Policy: script-src 'nonce-jquery+hardcoded+nonce'; report-uri ./mock.php?action=cspLog" );
+ header( 'Content-type: text/html' );
+ echo file_get_contents( __DIR__ . '/csp-nonce.html' );
+ }
+
protected function cspLog( $req ) {
file_put_contents( $this->cspFile, 'error' );
}