8000 No public description by copybara-service[bot] · Pull Request #452 · google/safevalues · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

No public description #452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

No public description #452

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions src/dom/elements/script.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,7 @@ import {getScriptNonce} from '../globals/window.js';

/** Propagates CSP nonce to dynamically created scripts. */
function setNonceForScriptElement(script: HTMLScriptElement) {
const win = script.ownerDocument && script.ownerDocument.defaultView;
const nonce = getScriptNonce(win || window);
const nonce = getScriptNonce(script.ownerDocument || document);
if (nonce) {
script.setAttribute('nonce', nonce);
}
Expand Down
45 changes: 30 additions & 15 deletions src/dom/globals/window.ts
View file
Open in desktop
10000
Original file line number Diff line number Diff line change
Expand Up @@ -23,28 +23,43 @@ export function open(
return null;
}

/** Returns CSP nonce, if set for any script tag. */
export function getScriptNonce(win: Window): string {
return getNonceFor('script', win);
/**
* Returns CSP nonce, if set for any script tag.
*/
export function getScriptNonce(documentOrWindow?: Document | Window): string {
return getNonceFor('script', documentOrWindow);
}

/** Returns CSP nonce, if set for any style tag. */
export function getStyleNonce(win: Window): string {
return getNonceFor('style', win);
/**
* Returns CSP nonce, if set for any style tag.
*/
export function getStyleNonce(documentOrWindow?: Document | Window): string {
return getNonceFor('style', documentOrWindow);
}

function getNonceFor(elementName: 'script' | 'style', win: Window): string {
const doc = win.document;
function getNonceFor(
elementName: 'script' | 'style',
documentOrWindow: Document | Window = document,
): string {
// Note: We can't use `instanceof` here because `documentOrWindow` likely
// comes from a different realm.
const doc =
'document' in documentOrWindow
? documentOrWindow.document
: documentOrWindow;

// document.querySelector can be undefined in non-browser environments.
const el = doc.querySelector?.<HTMLScriptElement | HTMLStyleElement>(
`${elementName}[nonce]`,
);
if (el) {
// Try to get the nonce from the IDL property first, because browsers that
// implement additional nonce protection features (currently only Chrome) to
// prevent nonce stealing via CSS do not expose the nonce via attributes.
// See https://github.com/whatwg/html/issues/2369
return el['nonce'] || el.getAttribute('nonce') || '';

if (el == null) {
return '';
}
return '';

// Try to get the nonce from the IDL property first, because browsers that
// implement additional nonce protection features (currently only Chrome) to
// prevent nonce stealing via CSS do not expose the nonce via attributes.
// See https://github.com/whatwg/html/issues/2369
return el['nonce'] || el.getAttribute('nonce') || '';
}
60 changes: 60 additions & 0 deletions test/dom/globals/window_test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
/**
* @license
* Copyright Google LLC
* SPDX-License-Identifier: Apache-2.0
*/

import {getScriptNonce} from '../../../src/dom/globals/window';

describe('Window', () => {
describe('getScriptNonce', () => {
it('returns a nonce if a script tag with nonce is found', () => {
const doc = document.implementation.createHTMLDocument();
const script = doc.createElement('script');
script.setAttribute('nonce', '123');
doc.body.appendChild(script);
expect(getScriptNonce(doc)).toEqual('123');
});

it('accepts a window', async () => {
const iframe = document.createElement('iframe');
const iframeLoaded = new Promise((resolve) => {
iframe.>
});
document.body.appendChild(iframe);
await iframeLoaded;

const doc = iframe.contentDocument!;
const script = doc.createElement('script');
script.setAttribute('nonce', '234');
doc.body.appendChild(script);

const win = iframe.contentWindow!;
expect(win).not.toBeNull();
expect(getScriptNonce(win)).toEqual('234');
});

it('returns empty string if no script tag is found', () => {
const doc = document.implementation.createHTMLDocument();
expect(getScriptNonce(doc)).toEqual('');
});

it('returns empty string if no nonce is found', () => {
const doc = document.implementation.createHTMLDocument();
const script = doc.createElement('script');
doc.body.appendChild(script);
expect(getScriptNonce(doc)).toEqual('');
});

it('returns nonce from current document when passed in no arguments', () => {
const script = document.createElement('script');
script.setAttribute('nonce', '345');

spyOn(document, 'querySelector')
.withArgs('script[nonce]')
.and.returnValue(script);

expect(getScriptNonce()).toEqual('345');
});
});
});
Loading
0