| 10_1_support_1.js |
|
235 |
| 10_1_support_2.js |
|
161 |
| addInlineTestsWithDOMManipulation.js |
|
1314 |
| buildInlineWorker.js |
|
425 |
| crossoriginScript.js |
|
145 |
|
|
31 |
| eval-allowed-in-report-only-mode-and-sends-report.html |
|
651 |
|
|
257 |
| eval-allowed-in-report-only-mode.html |
|
474 |
|
|
64 |
| externalScript.js |
|
19 |
| hash-always-converted-to-utf-8 |
|
|
| injected-inline-script-allowed.sub.html |
injected-inline-script-allowed |
814 |
| injected-inline-script-blocked.sub.html |
injected-inline-script-blocked |
986 |
| inlineSuccessTest.js |
|
437 |
| inlineTests.js |
|
758 |
| javascript-window-open-blocked.html |
Window.open should not open javascript url if not allowed. |
759 |
|
|
371 |
| nonce-enforce-blocked.html |
|
3840 |
| script-src-1_1.html |
Inline script should not run without 'unsafe-inline' script-src directive. |
756 |
| script-src-1_2.html |
Inline script should not run without 'unsafe-inline' script-src directive. |
746 |
| script-src-1_2_1.html |
Inline script attached by DOM manipulation should not run without an 'unsafe-inline' script-src policy, even with default-src * |
723 |
| script-src-1_3.html |
Positive test case: Inline script should run 'unsafe-inline' script-src directive. |
592 |
| script-src-1_4.html |
eval() should not run without 'unsafe-eval' script-src directive. |
1003 |
| script-src-1_4_1.html |
setTimeout() and setInterval() should not run without 'unsafe-eval' script-src directive. |
1295 |
| script-src-1_4_2.html |
Function() called as a constructor should throw without 'unsafe-eval' script-src directive. |
1043 |
| script-src-1_10.html |
data: as script src should not run with a policy that doesn't specify data: as an allowed source |
1231 |
| script-src-1_10_1.html |
data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline' |
730 |
| script-src-multiple-policies-multiple-hashing-algorithms.html |
Multiple policies with different hashing algorithms still work. |
820 |
|
|
380 |
| script-src-multiple-policies-one-using-hashing-algorithms.html |
Multiple policies some using hashes some not using hashes still work. |
826 |
|
|
317 |
| script-src-overrides-default-src.sub.html |
script-src-overrides-default-src |
895 |
| script-src-report-only-policy-works-with-external-hash-policy.html |
A report-only policy that does not allow a script should not affect an enforcing policy using hashes. |
1029 |
|
|
317 |
| script-src-report-only-policy-works-with-hash-policy.html |
A report-only policy that does not allow a script should not affect an enforcing policy using hashes. |
1073 |
|
|
317 |
| script-src-sri_hash.sub.html |
External scripts with matching SRI hash should be allowed. |
4227 |
|
|
430 |
| script-src-strict_dynamic_and_unsafe_eval_eval.html |
Scripts injected via `eval` are allowed with `strict-dynamic` with `unsafe-eval`. |
1104 |
|
|
236 |
| script-src-strict_dynamic_and_unsafe_eval_new_function.html |
Scripts injected via `new Function()` are allowed with `strict-dynamic` with `unsafe-eval`. |
1175 |
|
|
236 |
| script-src-strict_dynamic_discard_source_expressions.html |
Source expressions are discarded with `strict-dynamic` in the script-src directive. |
1211 |
|
|
229 |
| script-src-strict_dynamic_double_policy_different_nonce.html |
A separate policy with more nonces works correctly with `strict-dynamic` in the script-src directive. |
2813 |
|
|
287 |
| script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html |
Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive. |
2652 |
|
|
279 |
| script-src-strict_dynamic_double_policy_report_only.html |
A separate Report-Only policy does not influence `strict-dynamic` in the script-src directive. |
1798 |
|
|
277 |
| script-src-strict_dynamic_eval.html |
Scripts injected via `eval` are not allowed with `strict-dynamic` without `unsafe-eval`. |
1263 |
|
|
222 |
| script-src-strict_dynamic_hashes.html |
`strict-dynamic` allows scripts matching hashes present in the policy. |
2315 |
|
|
384 |
| script-src-strict_dynamic_in_img-src.html |
`strict-dynamic` does not drop allowed source expressions in `img-src`. |
1093 |
|
|
212 |
| script-src-strict_dynamic_javascript_uri.html |
Script injected via `javascript:` URIs are not allowed with `strict-dynamic`. |
1130 |
|
|
222 |
| script-src-strict_dynamic_meta_tag.html |
A `strict-dynamic` policy can be served in a META tag. |
3207 |
|
|
155 |
| script-src-strict_dynamic_new_function.html |
Scripts injected via `new Function()` are not allowed with `strict-dynamic` without `unsafe-eval`. |
1261 |
|
|
222 |
| script-src-strict_dynamic_non_parser_inserted.html |
Nonced and non parser-inserted scripts should run with `strict-dynamic` in the script-src directive. |
3200 |
|
|
222 |
| script-src-strict_dynamic_non_parser_inserted_incorrect_nonce.html |
Scripts without a correct nonce should not run with `strict-dynamic` in the script-src directive. |
989 |
|
|
222 |
| script-src-strict_dynamic_parser_inserted.html |
Parser-inserted scripts without a correct nonce are not allowed with `strict-dynamic` in the script-src directive. |
10439 |
|
|
222 |
| script-src-strict_dynamic_parser_inserted_correct_nonce.html |
Parser-inserted scripts with a correct nonce are allowed with `strict-dynamic` in the script-src directive. |
4921 |
|
|
222 |
| script-src-strict_dynamic_worker-importScripts.https.html |
|
665 |
| script-src-strict_dynamic_worker.https.html |
|
648 |
| script-src-wildcards-disallowed.html |
script-src disallowed wildcard use |
2571 |
| scripthash-allowed.sub.html |
scripthash-allowed |
1403 |
| scripthash-base64url-converts-to-base64.sub.html |
Test whether hash-src are normalized from base64url to base64. |
1191 |
| scripthash-basic-blocked-error-event.html |
CSP script-hash block causes error event |
392 |
| scripthash-basic-blocked.sub.html |
scripthash-basic-blocked |
2206 |
| scripthash-case-insensitive.sub.html |
Test whether hash-algorithm parts are matched case-insensitively |
1884 |
| scripthash-changed-1.html |
CSP inline script check is done at #prepare-a-script (hash) |
1542 |
| scripthash-changed-2.html |
CSP inline script check is done at #prepare-a-script (hash) |
1513 |
| scripthash-default-src.sub.html |
script-hash allowed from default-src |
690 |
| scripthash-ignore-unsafeinline.sub.html |
scripthash-ignore-unsafeinline |
1984 |
| scripthash-unicode-normalization.sub.html |
scripthash-unicode-normalization |
2780 |
| scriptnonce-allowed.sub.html |
scriptnonce-allowed |
2181 |
| scriptnonce-and-scripthash.sub.html |
scriptnonce-and-scripthash |
2598 |
| scriptnonce-basic-blocked.sub.html |
scriptnonce-basic-blocked |
1470 |
| scriptnonce-changed-1.html |
CSP inline script check is done at #prepare-a-script (nonce) |
1240 |
| scriptnonce-changed-2.html |
CSP inline script check is done at #prepare-a-script (nonce) |
1225 |
| scriptnonce-ignore-unsafeinline.sub.html |
scriptnonce-ignore-unsafeinline |
2443 |
| scriptnonce-redirect.sub.html |
scriptnonce-redirect |
2099 |
| scriptnonce-specified-source.sub.html |
|
1338 |
|
|
81 |
| simpleSourcedScript.js |
|
52 |
| srcdoc-doesnt-bypass-script-src.sub.html |
srcdoc-doesnt-bypass-script-src |
1269 |
| support |
|
|
| worker-data-set-timeout.sub.html |
worker-data-set-timeout |
988 |
| worker-eval-blocked.sub.html |
worker-eval-blocked |
1274 |
| worker-function-function-blocked.sub.html |
worker-function-function-blocked |
1309 |
| worker-importscripts.sub.html |
worker-importscripts |
798 |
| worker-script-src.sub.html |
worker-script-src |
983 |
| worker-set-timeout.sub.html |
worker-set-timeout |
793 |