diff options
author | buddh4 <mail@jharrer.de> | 2019-03-19 22:40:30 +0100 |
---|---|---|
committer | Michał Gołębiowski-Owczarek <m.goleb@gmail.com> | 2019-03-25 18:14:24 +0100 |
commit | 005040379d8b64aacbe54941d878efa6e86df1cc (patch) | |
tree | 158b1b84fcddcb4271aa5df2955ec017aca6e4e9 /test | |
parent | fe5f04de8fde9c69ed48283b99280aa6df3795c7 (diff) | |
download | jquery-005040379d8b64aacbe54941d878efa6e86df1cc.tar.gz jquery-005040379d8b64aacbe54941d878efa6e86df1cc.zip |
Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation
Fixes gh-4323
Closes gh-4328
Diffstat (limited to 'test')
-rw-r--r-- | test/data/csp-nonce-external.html | 13 | ||||
-rw-r--r-- | test/data/csp-nonce-external.js | 5 | ||||
-rw-r--r-- | test/unit/manipulation.js | 23 |
3 files changed, 41 insertions, 0 deletions
diff --git a/test/data/csp-nonce-external.html b/test/data/csp-nonce-external.html new file mode 100644 index 000000000..8baa85c75 --- /dev/null +++ b/test/data/csp-nonce-external.html @@ -0,0 +1,13 @@ +<!DOCTYPE html> +<html> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <title>CSP nonce via jQuery.globalEval Test Page</title> + <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script> + <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script> + <script nonce="jquery+hardcoded+nonce" src="csp-nonce-external.js"></script> +</head> +<body> + <p>CSP nonce for external script Test Page</p> +</body> +</html> diff --git a/test/data/csp-nonce-external.js b/test/data/csp-nonce-external.js new file mode 100644 index 000000000..efedd5a9a --- /dev/null +++ b/test/data/csp-nonce-external.js @@ -0,0 +1,5 @@ +/* global startIframeTest */ + +jQuery( function() { + $( "body" ).append( "<script nonce='jquery+hardcoded+nonce' src='csp-nonce.js'></script>" ); +} ); diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js index d8c86e31c..b0d3e3a88 100644 --- a/test/unit/manipulation.js +++ b/test/unit/manipulation.js @@ -2895,6 +2895,29 @@ testIframe( ); testIframe( + "Check if CSP nonce is preserved for external scripts with src attribute", + "mock.php?action=cspNonce&test=external", + function( assert, jQuery, window, document ) { + var done = assert.async(); + + assert.expect( 1 ); + + supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) { + assert.equal( data, "", "No log request should be sent" ); + supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done ); + } ); + }, + + // Support: Edge 18+, iOS 7-9 only, Android 4.0-4.4 only + // Edge doesn't support nonce in non-inline scripts. + // See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/ + // Old iOS & Android Browser versions support script-src but not nonce, making this test + // impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip + // script-src restrictions completely. + QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ] +); + +testIframe( "jQuery.globalEval supports nonce", "mock.php?action=cspNonce&test=globaleval", function( assert, jQuery, window, document ) { |