<!doctype html> <html> <head> <!-- external styles --> <link rel='stylesheet' nonce="correctstylenonce" href="file_CSP.sjs?testid=external_style_correct_nonce_good&type=text/css" /> <link rel='stylesheet' nonce="incorrectstylenonce" href="file_CSP.sjs?testid=external_style_incorrect_nonce_bad&type=text/css" /> <link rel='stylesheet' nonce="correctscriptnonce" href="file_CSP.sjs?testid=external_style_correct_script_nonce_bad&type=text/css" /> <link rel='stylesheet' href="file_CSP.sjs?testid=external_style_no_nonce_bad&type=text/css" /> </head> <body> <!-- inline scripts --> <ol> <li id="inline-script-correct-nonce">(inline script with correct nonce) This text should be green.</li> <li id="inline-script-incorrect-nonce">(inline script with incorrect nonce) This text should be black.</li> <li id="inline-script-correct-style-nonce">(inline script with correct nonce for styles, but not for scripts) This text should be black.</li> <li id="inline-script-no-nonce">(inline script with no nonce) This text should be black.</li> </ol> <script nonce="correctscriptnonce"> document.getElementById("inline-script-correct-nonce").style.color = "rgb(0, 128, 0)"; </script> <script nonce="incorrectscriptnonce"> document.getElementById("inline-script-incorrect-nonce").style.color = "rgb(255, 0, 0)"; </script> <script nonce="correctstylenonce"> document.getElementById("inline-script-correct-style-nonce").style.color = "rgb(255, 0, 0)"; </script> <script> document.getElementById("inline-script-no-nonce").style.color = "rgb(255, 0, 0)"; </script> <!-- external scripts --> <script nonce="correctscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_correct_nonce_good&type=text/javascript"></script> <script nonce="anothercorrectscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_another_correct_nonce_good&type=text/javascript"></script> <script nonce="incorrectscriptnonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_incorrect_nonce_bad&type=text/javascript"></script> <script nonce="correctstylenonce" src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_correct_style_nonce_bad&type=text/javascript"></script> <script src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=external_script_no_nonce_bad&type=text/javascript"></script> <!-- This external script has the correct nonce and comes from a whitelisted URI. It should be allowed. --> <script nonce="correctscriptnonce" src="file_CSP.sjs?testid=external_script_correct_nonce_correct_uri_good&type=text/javascript"></script> <!-- This external script has an incorrect nonce, but comes from a whitelisted URI. It should be allowed. --> <script nonce="incorrectscriptnonce" src="file_CSP.sjs?testid=external_script_incorrect_nonce_correct_uri_good&type=text/javascript"></script> <!-- This external script has no nonce and comes from a whitelisted URI. It should be allowed. --> <script src="file_CSP.sjs?testid=external_script_no_nonce_correct_uri_good&type=text/javascript"></script> <!-- inline styles --> <ol> <li id=inline-style-correct-nonce> (inline style with correct nonce) This text should be green </li> <li id=inline-style-incorrect-nonce> (inline style with incorrect nonce) This text should be black </li> <li id=inline-style-correct-script-nonce> (inline style with correct script, not style, nonce) This text should be black </li> <li id=inline-style-no-nonce> (inline style with no nonce) This text should be black </li> </ol> <style nonce=correctstylenonce> li#inline-style-correct-nonce { color: green; } </style> <style nonce=incorrectstylenonce> li#inline-style-incorrect-nonce { color: red; } </style> <style nonce=correctscriptnonce> li#inline-style-correct-script-nonce { color: red; } </style> <style> li#inline-style-no-nonce { color: red; } </style> </body> </html>