TEST_F(ContentSecurityPolicyTest, NonceInline) { struct TestCase { const char* policy; const char* nonce; bool allowed; } cases[] = { { "'unsafe-inline'", "", true }, { "'unsafe-inline'", "yay", true }, { "'nonce-yay'", "", false }, { "'nonce-yay'", "yay", true }, { "'unsafe-inline' 'nonce-yay'", "", false }, { "'unsafe-inline' 'nonce-yay'", "yay", true }, }; String contextURL; String content; WTF::OrdinalNumber contextLine; for (const auto& test : cases) { SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, Nonce: `" << test.nonce << "`"); unsigned expectedReports = test.allowed ? 0u : 1u; // Enforce 'script-src' Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create(); policy->bindToExecutionContext(document.get()); policy->didReceiveHeader(String("script-src ") + test.policy, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); EXPECT_EQ(test.allowed, policy->allowInlineScript(contextURL, String(test.nonce), contextLine, content)); EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); // Enforce 'style-src' policy = ContentSecurityPolicy::create(); policy->bindToExecutionContext(document.get()); policy->didReceiveHeader(String("style-src ") + test.policy, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP); EXPECT_EQ(test.allowed, policy->allowInlineStyle(contextURL, String(test.nonce), contextLine, content)); EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); // Report 'script-src' policy = ContentSecurityPolicy::create(); policy->bindToExecutionContext(document.get()); policy->didReceiveHeader(String("script-src ") + test.policy, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); EXPECT_TRUE(policy->allowInlineScript(contextURL, String(test.nonce), contextLine, content)); EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); // Report 'style-src' policy = ContentSecurityPolicy::create(); policy->bindToExecutionContext(document.get()); policy->didReceiveHeader(String("style-src ") + test.policy, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP); EXPECT_TRUE(policy->allowInlineStyle(contextURL, String(test.nonce), contextLine, content)); EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size()); } }