TEST_F(ContentSecurityPolicyTest, NonceSinglePolicy)
{
    struct TestCase {
        const char* policy;
        const char* url;
        const char* nonce;
        bool allowed;
    } cases[] = {
        { "script-src 'nonce-yay'", "https://example.com/js", "", false },
        { "script-src 'nonce-yay'", "https://example.com/js", "yay", true },
        { "script-src https://example.com", "https://example.com/js", "", true },
        { "script-src https://example.com", "https://example.com/js", "yay", true },
        { "script-src https://example.com 'nonce-yay'", "https://not.example.com/js", "", false },
        { "script-src https://example.com 'nonce-yay'", "https://not.example.com/js", "yay", true },
    };

    for (const auto& test : cases) {
        SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy << "`, URL: `" << test.url << "`, Nonce: `" << test.nonce << "`");
        KURL resource = KURL(KURL(), test.url);

        unsigned expectedReports = test.allowed ? 0u : 1u;

        // Single enforce-mode policy should match `test.expected`:
        Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create();
        policy->bindToExecutionContext(document.get());
        policy->didReceiveHeader(test.policy, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
        EXPECT_EQ(test.allowed, policy->allowScriptFromSource(resource, String(test.nonce)));
        // If this is expected to generate a violation, we should have sent a report.
        EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());

        // Single report-mode policy should always be `true`:
        policy = ContentSecurityPolicy::create();
        policy->bindToExecutionContext(document.get());
        policy->didReceiveHeader(test.policy, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
        EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce)));
        // If this is expected to generate a violation, we should have sent a report, even though
        // we don't deny access in `allowScriptFromSource`:
        EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());
    }
}
TEST_F(ContentSecurityPolicyTest, NonceMultiplePolicy)
{
    struct TestCase {
        const char* policy1;
        const char* policy2;
        const char* url;
        const char* nonce;
        bool allowed1;
        bool allowed2;
    } cases[] = {
        // Passes both:
        { "script-src 'nonce-yay'", "script-src 'nonce-yay'", "https://example.com/js", "yay", true, true },
        { "script-src https://example.com", "script-src 'nonce-yay'", "https://example.com/js", "yay", true, true },
        { "script-src 'nonce-yay'", "script-src https://example.com", "https://example.com/js", "yay", true, true },
        { "script-src https://example.com 'nonce-yay'", "script-src https://example.com 'nonce-yay'", "https://example.com/js", "yay", true, true },
        { "script-src https://example.com 'nonce-yay'", "script-src https://example.com 'nonce-yay'", "https://example.com/js", "", true, true },
        { "script-src https://example.com", "script-src https://example.com 'nonce-yay'", "https://example.com/js", "yay", true, true },
        { "script-src https://example.com 'nonce-yay'", "script-src https://example.com", "https://example.com/js", "yay", true, true },

        // Fails one:
        { "script-src 'nonce-yay'", "script-src https://example.com", "https://example.com/js", "", false, true },
        { "script-src 'nonce-yay'", "script-src 'none'", "https://example.com/js", "yay", true, false },
        { "script-src 'nonce-yay'", "script-src https://not.example.com", "https://example.com/js", "yay", true, false },

        // Fails both:
        { "script-src 'nonce-yay'", "script-src https://example.com", "https://not.example.com/js", "", false, false },
        { "script-src https://example.com", "script-src 'nonce-yay'", "https://not.example.com/js", "", false, false },
        { "script-src 'nonce-yay'", "script-src 'none'", "https://not.example.com/js", "boo", false, false },
        { "script-src 'nonce-yay'", "script-src https://not.example.com", "https://example.com/js", "", false, false },
    };

    for (const auto& test : cases) {
        SCOPED_TRACE(testing::Message() << "Policy: `" << test.policy1 << "`/`" << test.policy2 << "`, URL: `" << test.url << "`, Nonce: `" << test.nonce << "`");
        KURL resource = KURL(KURL(), test.url);

        unsigned expectedReports = test.allowed1 != test.allowed2 ? 1u : (test.allowed1 ? 0u : 2u);

        // Enforce / Report
        Persistent<ContentSecurityPolicy> policy = ContentSecurityPolicy::create();
        policy->bindToExecutionContext(document.get());
        policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
        policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
        EXPECT_EQ(test.allowed1, policy->allowScriptFromSource(resource, String(test.nonce)));
        EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());

        // Report / Enforce
        policy = ContentSecurityPolicy::create();
        policy->bindToExecutionContext(document.get());
        policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
        policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
        EXPECT_EQ(test.allowed2, policy->allowScriptFromSource(resource, String(test.nonce)));
        EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());

        // Enforce / Enforce
        policy = ContentSecurityPolicy::create();
        policy->bindToExecutionContext(document.get());
        policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
        policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeEnforce, ContentSecurityPolicyHeaderSourceHTTP);
        EXPECT_EQ(test.allowed1 && test.allowed2, policy->allowScriptFromSource(resource, String(test.nonce)));
        EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());

        // Report / Report
        policy = ContentSecurityPolicy::create();
        policy->bindToExecutionContext(document.get());
        policy->didReceiveHeader(test.policy1, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
        policy->didReceiveHeader(test.policy2, ContentSecurityPolicyHeaderTypeReport, ContentSecurityPolicyHeaderSourceHTTP);
        EXPECT_TRUE(policy->allowScriptFromSource(resource, String(test.nonce)));
        EXPECT_EQ(expectedReports, policy->m_violationReportsSent.size());
    }
}