add corresponding mathml nonce hiding tests in pursuit of whatwg/html…

…#5248 (comment)

content-security-policy/nonce-hiding/mathmlscript-nonces-hidden-meta.tentative.sub.html

@@ -0,0 +1,116 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc'; img-src 'none'">
+
+<body>
+<!-- Basics -->
+<svg xmlns="http://www.w3.org/2000/svg">
+  <script nonce="abc" id="testScript">
+    document.currentScript.setAttribute('executed', 'yay');
+  </script>
+</svg>
+
+<script nonce="abc">
+    var script = document.querySelector('#testScript');
+
+    test(t => {
+      // Query Selector
+      assert_equals(document.querySelector('[nonce]'), script);
+      assert_equals(document.querySelector('[nonce=""]'), null);
+      assert_equals(document.querySelector('[nonce=abc]'), script);
+
+      assert_equals(script.getAttribute('nonce'), 'abc');
+      assert_equals(script.nonce, 'abc');
+    }, "Reading 'nonce' content attribute and IDL attribute.");
+
+    // Clone node.
+    test(t => {
+      script.setAttribute('executed', 'boo');
+      var s2 = script.cloneNode();
+      assert_equals(s2.nonce, 'abc', 'IDL attribute');
+      assert_equals(s2.getAttribute('nonce'), 'abc');
+    }, "Cloned node retains nonce.");
+
+    async_test(t => {
+      var s2 = script.cloneNode();
+      document.head.appendChild(s2);
+      assert_equals(s2.nonce, 'abc');
+      assert_equals(s2.getAttribute('nonce'), 'abc');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        // The cloned script won't execute, as its 'already started' flag is set.
+        assert_equals(s2.getAttribute('executed'), 'boo');
+      }));
+    }, "Cloned node retains nonce when inserted.");
+
+    // Set the content attribute to 'foo'
+    test(t => {
+      script.setAttribute('nonce', 'foo');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+      assert_equals(script.nonce, 'abc');
+    }, "Writing 'nonce' content attribute.");
+
+    // Set the IDL attribute to 'bar'
+    test(t => {
+      script.nonce = 'bar';
+      assert_equals(script.nonce, 'bar');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+    }, "Writing 'nonce' IDL attribute.");
+
+    // Fragment parser.
+    var documentWriteTest = async_test("Document-written script executes.");
+    document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
+      documentWriteTest.done();
+      test(t => {
+        var script = document.currentScript;
+        assert_equals(script.getAttribute('nonce'), 'abc');
+        assert_equals(script.nonce, 'abc');
+      }, "Document-written script's nonce value.");
+    </scr` + `ipt></svg>`);
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('innerScript');
+      innerScript.innerText = script.innerText;
+      innerScript.nonce = 'abc';
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), null, 'innerScript.getAttribute nonce');
+    }, "createElement.nonce.");
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('script');
+      innerScript.innerText = script.innerText;
+      innerScript.setAttribute('nonce', 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content");
+      assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL");
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
+      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Post-insertion content");
+    }, "createElement.setAttribute.");
+</script>
+
+<!-- CSS Leakage -->
+<style>
+    #cssTest { display: block; }
+    #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
+</style>
+<svg xmlns="http://www.w3.org/2000/svg">
+  <script nonce="abc" id="cssTest">
+      async_test(t => {
+        requestAnimationFrame(t.step_func_done(_ => {
+          var script = document.querySelector('#cssTest');
+          var style = getComputedStyle(script);
+          assert_equals(style['display'], 'block');
+          assert_equals(style['background-image'], "url(\"http://{{domains[]}}:{{ports[http][0]}}/security/resources/abe.png\")");
+        }));
+      }, "Nonces don't leak via CSS side-channels.");
+  </script>
+</svg>

content-security-policy/nonce-hiding/mathmlscript-nonces-hidden.tentative.html

@@ -0,0 +1,117 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js" nonce="abc"></script>
+<script src="/resources/testharnessreport.js" nonce="abc"></script>
+
+<!-- `Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'` delivered via headers -->
+
+<body>
+<!-- Basics -->
+
+<math xmlns="http://www.w3.org/1998/Math/MathML">
+  <script nonce="abc" id="testScript">
+    document.currentScript.setAttribute('executed', 'yay');
+  </script>
+</math>
+
+<script nonce="abc">
+    var script = document.querySelector('#testScript');
+
+    test(t => {
+      // Query Selector
+      assert_equals(document.querySelector('body [nonce]'), script);
+      assert_equals(document.querySelector('body [nonce=""]'), script);
+      assert_equals(document.querySelector('body [nonce=abc]'), null);
+
+      assert_equals(script.getAttribute('nonce'), '');
+      assert_equals(script.nonce, 'abc');
+    }, "Reading 'nonce' content attribute and IDL attribute.");
+
+    // Clone node.
+    test(t => {
+      script.setAttribute('executed', 'boo');
+      var s2 = script.cloneNode();
+      assert_equals(s2.nonce, 'abc', 'IDL attribute');
+      assert_equals(s2.getAttribute('nonce'), '');
+    }, "Cloned node retains nonce.");
+
+    async_test(t => {
+      var s2 = script.cloneNode();
+      document.head.appendChild(s2);
+      assert_equals(s2.nonce, 'abc');
+      assert_equals(s2.getAttribute('nonce'), '');
+
+      window.addEventListener('load', t.step_func_done(_ => {
+        // The cloned script won't execute, as its 'already started' flag is set.
+        assert_equals(s2.getAttribute('executed'), 'boo');
+      }));
+    }, "Cloned node retains nonce when inserted.");
+
+    // Set the content attribute to 'foo'
+    test(t => {
+      script.setAttribute('nonce', 'foo');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+      assert_equals(script.nonce, 'abc');
+    }, "Writing 'nonce' content attribute.");
+
+    // Set the IDL attribute to 'bar'
+    test(t => {
+      script.nonce = 'bar';
+      assert_equals(script.nonce, 'bar');
+      assert_equals(script.getAttribute('nonce'), 'foo');
+    }, "Writing 'nonce' IDL attribute.");
+
+    // Fragment parser.
+    var documentWriteTest = async_test("Document-written script executes.");
+    document.write(`<svg xmlns="http://www.w3.org/2000/svg"><script nonce='abc'>
+      documentWriteTest.done();
+      test(t => {
+        var script = document.currentScript;
+        assert_equals(script.getAttribute('nonce'), '');
+        assert_equals(script.nonce, 'abc');
+      }, "Document-written script's nonce value.");
+    </scr` + `ipt></svg>`);
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('script');
+      innerScript.innerText = script.innerText;
+      innerScript.nonce = 'abc';
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), null);
+    }, "createElement.nonce.");
+
+    // Create node.
+    test(t => {
+      var s = document.createElement('svg');
+      var innerScript = document.createElement('script');
+      innerScript.innerText = script.innerText;
+      innerScript.setAttribute('nonce', 'abc');
+      assert_equals(innerScript.getAttribute('nonce'), 'abc', "Pre-insertion content");
+      assert_equals(innerScript.nonce, 'abc', "Pre-insertion IDL");
+      s.appendChild(innerScript);
+      document.body.appendChild(s);
+      assert_equals(innerScript.nonce, 'abc', "Post-insertion IDL");
+      assert_equals(innerScript.getAttribute('nonce'), '', "Post-insertion content");
+    }, "createElement.setAttribute.");
+</script>
+
+<!-- CSS Leakage -->
+<style>
+    #cssTest { display: block; }
+    #cssTest[nonce=abc] { background: url(/security/resources/abe.png); }
+</style>
+<svg xmlns="http://www.w3.org/2000/svg">
+  <script nonce="abc" id="cssTest">
+      async_test(t => {
+        requestAnimationFrame(t.step_func_done(_ => {
+          var script = document.querySelector('#cssTest');
+          var style = getComputedStyle(script);
+          assert_equals(style['display'], 'block');
+          assert_equals(style['background-image'], 'none');
+        }));
+      }, "Nonces don't leak via CSS side-channels.");
+  </script>
+</svg>

content-security-policy/nonce-hiding/mathmlscript-nonces-hidden.tentative.html.headers

@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'nonce-abc'; img-src 'none'