aboutsummaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorbuddh4 <mail@jharrer.de>2019-03-19 22:40:30 +0100
committerMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2019-03-25 18:14:24 +0100
commit005040379d8b64aacbe54941d878efa6e86df1cc (patch)
tree158b1b84fcddcb4271aa5df2955ec017aca6e4e9 /test
parentfe5f04de8fde9c69ed48283b99280aa6df3795c7 (diff)
downloadjquery-005040379d8b64aacbe54941d878efa6e86df1cc.tar.gz
jquery-005040379d8b64aacbe54941d878efa6e86df1cc.zip
Core: Preserve CSP nonce on scripts with src attribute in DOM manipulation
Fixes gh-4323 Closes gh-4328
Diffstat (limited to 'test')
-rw-r--r--test/data/csp-nonce-external.html13
-rw-r--r--test/data/csp-nonce-external.js5
-rw-r--r--test/unit/manipulation.js23
3 files changed, 41 insertions, 0 deletions
diff --git a/test/data/csp-nonce-external.html b/test/data/csp-nonce-external.html
new file mode 100644
index 000000000..8baa85c75
--- /dev/null
+++ b/test/data/csp-nonce-external.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>CSP nonce via jQuery.globalEval Test Page</title>
+ <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="csp-nonce-external.js"></script>
+</head>
+<body>
+ <p>CSP nonce for external script Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-nonce-external.js b/test/data/csp-nonce-external.js
new file mode 100644
index 000000000..efedd5a9a
--- /dev/null
+++ b/test/data/csp-nonce-external.js
@@ -0,0 +1,5 @@
+/* global startIframeTest */
+
+jQuery( function() {
+ $( "body" ).append( "<script nonce='jquery+hardcoded+nonce' src='csp-nonce.js'></script>" );
+} );
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index d8c86e31c..b0d3e3a88 100644
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2895,6 +2895,29 @@ testIframe(
);
testIframe(
+ "Check if CSP nonce is preserved for external scripts with src attribute",
+ "mock.php?action=cspNonce&test=external",
+ function( assert, jQuery, window, document ) {
+ var done = assert.async();
+
+ assert.expect( 1 );
+
+ supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) {
+ assert.equal( data, "", "No log request should be sent" );
+ supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done );
+ } );
+ },
+
+ // Support: Edge 18+, iOS 7-9 only, Android 4.0-4.4 only
+ // Edge doesn't support nonce in non-inline scripts.
+ // See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+ // Old iOS & Android Browser versions support script-src but not nonce, making this test
+ // impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip
+ // script-src restrictions completely.
+ QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ]
+);
+
+testIframe(
"jQuery.globalEval supports nonce",
"mock.php?action=cspNonce&test=globaleval",
function( assert, jQuery, window, document ) {