Content Security Policy: Apply strict-dynamic for ScriptSpeculationRules

ContentSecurityPolicy::InlineType::kScriptSpeculationRules was introduced to differentiate speculationrules from other scripts. But, strict-dynamic supporting code doesn't recognize the type correctly. The spec change was discussed here. WICG/nav-speculation#245 CSP spec diffs for the speculationrules is published here. https://wicg.github.io/nav-speculation/speculation-rules.html#content-security-policy Bug: 1427005 Change-Id: I24830c34fd191f2e2d2aae901a07b0a1322afa60 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4368394 Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1122391}
web-platform-tests · Aug 16, 2023 · 1131404 · 1131404
1 parent 5ad156b
commit 1131404
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 1 deletion.
diff --git a/speculation-rules/prerender/csp-script-src-strict-dynamic.html b/speculation-rules/prerender/csp-script-src-strict-dynamic.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<meta name="timeout" content="long">
+<script src="/common/utils.js"></script>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/utils.js"></script>
+
+<body>
+  <script>
+    setup(() => assertSpeculationRulesIsSupported());
+
+    promise_test(async t => {
+      // The key used for storing a test result in the server.
+      const key = token();
+
+      // Open the test runner in a popup - it will prerender itself, record the
+      // test results, and send them back to this harness.
+      const url =
+        `resources/csp-script-src-strict-dynamic.html?key=${key}`;
+      window.open(url, '_blank', 'noopener');
+
+      // Wait until the test sends us the results.
+      const result = await nextValueFromServer(key);
+
+      assert_equals(result, "true", "");
+    }, 'Test if CSP script-src strict-dynamic allows inline speculationrules injected from the permitted scripts.');
+  </script>
+</body>
diff --git a/speculation-rules/prerender/resources/csp-script-src-strict-dynamic.html b/speculation-rules/prerender/resources/csp-script-src-strict-dynamic.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+
+<head>
+  <meta http-equiv="Content-Security-Policy"
+    content="script-src 'nonce-1' 'nonce-2' 'nonce-3' 'nonce-4' 'nonce-5' 'strict-dynamic'">
+</head>
+<script src="/common/utils.js" nonce="1"></script>
+<script src="/resources/testharness.js" nonce="2"></script>
+<script src="/resources/testharnessreport.js" nonce="3"></script>
+<script src="utils.js" nonce="4"></script>
+<script src="csp-script-src.js" nonce="5"></script>
+<script>
+  const params = new URLSearchParams(location.search);
+  writeValueToServer(params.get('key'), "csp is ignored unexpectedly");
+</script>
diff --git a/speculation-rules/prerender/resources/csp-script-src.js b/speculation-rules/prerender/resources/csp-script-src.js
@@ -3,7 +3,7 @@ const params = new URLSearchParams(location.search);
 // Take a key used for storing a test result in the server.
 const key = params.get('key');
 
-// Speculation rules injection is not blocked in the csp-script-src 'self' test.
+// Speculation rules injection is blocked in the csp-script-src 'self' test.
 const block = location.pathname.endsWith('csp-script-src-self.html');
 
 // The main test page (csp-script-src-*.html) in the parent directory) will load