blob: 467c699c7a580ac8b6a8a488e4a9653c36e4cb69 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
<script>
window.hasCORSLoaded = false; // set through script_crossdomain1.js
</script>
<!-- script tag cors-enabled. should be loaded -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
crossorigin=""
integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="
onload="parent.postMessage('good_sriLoaded', '*');"></script>
<!-- script tag cors but not using SRI. should trigger onerror -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain5.js"
onload="parent.postMessage('bad_nonsriLoaded', '*');"
onerror="parent.postMessage('good_nonsriBlocked', '*');"></script>
<!-- svg:script tag with cors but not using SRI. should trigger onerror -->
<svg xmlns="http://www.w3.org/2000/svg">
<script xlink:href="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
onload="parent.postMessage('bad_svg_nonsriLoaded', '*');"
onerror="parent.postMessage('good_svg_nonsriBlocked', '*');"></script>
></script>
</svg>
<!-- stylesheet with cors and integrity. it should just load fine. -->
<link rel="stylesheet" href="style1.css"
integrity="sha256-qs8lnkunWoVldk5d5E+652yth4VTSHohlBKQvvgGwa8="
onload="parent.postMessage('good_sriLoaded', '*');">
<!-- stylesheet not using SRI, should trigger onerror -->
<link rel="stylesheet" href="style3.css"
onload="parent.postMessage('bad_nonsriLoaded', '*');"
onerror="parent.postMessage('good_nonsriBlocked', '*');">
<p id="black-text">black text</p>
<script>
// this worker should not load,
// given that we can not provide integrity metadata through the constructor
w = new Worker("rsf_worker.js");
w.onerror = function(e) {
if (typeof w == "object") {
parent.postMessage("finish", '*');
} else {
parent.postMessage("error", "*")
}
}
</script>
|