aboutsummaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorMichał Gołębiowski-Owczarek <m.goleb@gmail.com>2019-01-21 18:42:39 +0100
committerGitHub <noreply@github.com>2019-01-21 18:42:39 +0100
commit5bdc85b82b84e5459462ddad9002f22d1ce74f21 (patch)
tree226cbd30d60195d6cf418267852b64188de04050 /test
parente4de8b4626f8872a4cb1ee241b60902653567503 (diff)
downloadjquery-5bdc85b82b84e5459462ddad9002f22d1ce74f21.tar.gz
jquery-5bdc85b82b84e5459462ddad9002f22d1ce74f21.zip
Core: Support passing nonce through jQuery.globalEval
Fixes gh-4278 Closes gh-4280 Ref gh-3541 Ref gh-4269
Diffstat (limited to 'test')
-rw-r--r--test/data/csp-nonce-globaleval.html13
-rw-r--r--test/data/csp-nonce-globaleval.js5
-rw-r--r--test/data/mock.php3
-rw-r--r--test/middleware-mockserver.js4
-rw-r--r--test/unit/manipulation.js23
5 files changed, 46 insertions, 2 deletions
diff --git a/test/data/csp-nonce-globaleval.html b/test/data/csp-nonce-globaleval.html
new file mode 100644
index 000000000..aa620c566
--- /dev/null
+++ b/test/data/csp-nonce-globaleval.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <title>CSP nonce via jQuery.globalEval Test Page</title>
+ <script nonce="jquery+hardcoded+nonce" src="../jquery.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="iframeTest.js"></script>
+ <script nonce="jquery+hardcoded+nonce" src="csp-nonce-globaleval.js"></script>
+</head>
+<body>
+ <p>CSP nonce via jQuery.globalEval Test Page</p>
+</body>
+</html>
diff --git a/test/data/csp-nonce-globaleval.js b/test/data/csp-nonce-globaleval.js
new file mode 100644
index 000000000..23d549fd6
--- /dev/null
+++ b/test/data/csp-nonce-globaleval.js
@@ -0,0 +1,5 @@
+/* global startIframeTest */
+
+jQuery( function() {
+ $.globalEval( "startIframeTest()", { nonce: "jquery+hardcoded+nonce" } );
+} );
diff --git a/test/data/mock.php b/test/data/mock.php
index 7e6aa1bec..52de8ae9d 100644
--- a/test/data/mock.php
+++ b/test/data/mock.php
@@ -201,9 +201,10 @@ ok( true, "mock executed");';
protected function cspNonce( $req ) {
// This is CSP only for browsers with "Content-Security-Policy" header support
// i.e. no old WebKit or old Firefox
+ $test = $req->query['test'] ? '-' . $req->query['test'] : '';
header( "Content-Security-Policy: script-src 'nonce-jquery+hardcoded+nonce'; report-uri ./mock.php?action=cspLog" );
header( 'Content-type: text/html' );
- echo file_get_contents( __DIR__ . '/csp-nonce.html' );
+ echo file_get_contents( __DIR__ . '/csp-nonce' . $test . '.html' );
}
protected function cspLog( $req ) {
diff --git a/test/middleware-mockserver.js b/test/middleware-mockserver.js
index feed28148..12c2e7533 100644
--- a/test/middleware-mockserver.js
+++ b/test/middleware-mockserver.js
@@ -208,11 +208,13 @@ var mocks = {
resp.end( body );
},
cspNonce: function( req, resp ) {
+ var testParam = req.query.test ? "-" + req.query.test : "";
resp.writeHead( 200, {
"Content-Type": "text/html",
"Content-Security-Policy": "script-src 'nonce-jquery+hardcoded+nonce'; report-uri /base/test/data/mock.php?action=cspLog"
} );
- var body = fs.readFileSync( __dirname + "/data/csp-nonce.html" ).toString();
+ var body = fs.readFileSync(
+ __dirname + "/data/csp-nonce" + testParam + ".html" ).toString();
resp.end( body );
},
cspLog: function( req, resp ) {
diff --git a/test/unit/manipulation.js b/test/unit/manipulation.js
index 7f30ddf25..0acb45f3e 100644
--- a/test/unit/manipulation.js
+++ b/test/unit/manipulation.js
@@ -2888,3 +2888,26 @@ testIframe(
// script-src restrictions completely.
QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ]
);
+
+testIframe(
+ "jQuery.globalEval supports nonce",
+ "mock.php?action=cspNonce&test=globaleval",
+ function( assert, jQuery, window, document ) {
+ var done = assert.async();
+
+ assert.expect( 1 );
+
+ supportjQuery.get( baseURL + "support/csp.log" ).done( function( data ) {
+ assert.equal( data, "", "No log request should be sent" );
+ supportjQuery.get( baseURL + "mock.php?action=cspClean" ).done( done );
+ } );
+ },
+
+ // Support: Edge 18+, iOS 7-9 only, Android 4.0-4.4 only
+ // Edge doesn't support nonce in non-inline scripts.
+ // See https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/13246371/
+ // Old iOS & Android Browser versions support script-src but not nonce, making this test
+ // impossible to run. Browsers not supporting CSP at all are not a problem as they'll skip
+ // script-src restrictions completely.
+ QUnit[ /\bedge\/|iphone os [789]|android 4\./i.test( navigator.userAgent ) ? "skip" : "test" ]
+);