Source expressions in a separate policy are honored with `strict-dynamic` in the script-src directive.

Summary

Harness status: OK

Found 2 tests

2 Pass

Details

Result

Test Name

Message

Pass

Script injected via `appendChild` is permitted with `strict-dynamic` + a nonce+allowed double policy.

Asserts run

No asserts ran

Pass

Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.

Asserts run

Pass

assert_equals("script-src-elem", "script-src-elem")
    at Test.<anonymous> ( /content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html:47:17)

Pass

assert_equals("script-src 'self' 'nonce-dummy'", "script-src 'self' 'nonce-dummy'")
    at Test.<anonymous> ( /content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html:48:17)