From 4ec8cb88ca8735aada4e6be7721f5ed65241c0f2 Mon Sep 17 00:00:00 2001
From: Jonathan Hao <phao@chromium.org>
Date: Wed, 27 Dec 2023 08:06:42 -0800
Subject: [PATCH] [CSP] Regression WPT for nonce hiding on dangling html/body

See bug or https://crrev.com/c/5149755

Bug: 1513216
Change-Id: Ie04e0d900e8d49ffd99fc60579f50cbd460cad2a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5148217
Commit-Queue: Jonathan Hao <phao@chromium.org>
Commit-Queue: Yifan Luo <lyf@chromium.org>
Reviewed-by: Yifan Luo <lyf@chromium.org>
Auto-Submit: Jonathan Hao <phao@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1241168}
---
 .../nonce-hiding/dangling-html-or-body.html   | 29 +++++++++++++++++++
 .../dangling-html-or-body.html.headers        |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 content-security-policy/nonce-hiding/dangling-html-or-body.html
 create mode 100644 content-security-policy/nonce-hiding/dangling-html-or-body.html.headers

diff --git a/content-security-policy/nonce-hiding/dangling-html-or-body.html b/content-security-policy/nonce-hiding/dangling-html-or-body.html
new file mode 100644
index 00000000000000..4ba65e05b885cb
--- /dev/null
+++ b/content-security-policy/nonce-hiding/dangling-html-or-body.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js" nonce="secret"></script>
+<script src="/resources/testharnessreport.js" nonce="secret"></script>
+
+<!-- `Content-Security-Policy: script-src 'nonce-secret'` delivered via headers -->
+
+<body>
+  <style>body[nonce*=secret]{background:url(/security/resources/abe.png);}</style>
+  <body
+  <script nonce="secret" src="https://example.com/good.js"></script>
+  <script nonce="secret">
+    test(t => {
+      const body = document.querySelector('body');
+      var style = getComputedStyle(body);
+      assert_equals(style['background-image'], 'none');
+    }, "Nonces don't leak via CSS side-channels when a dangling body is injected.");
+  </script>
+
+  <style>html[nonce*=secret]{background:url(/security/resources/abe.png);}</style>
+  <html
+  <script nonce="secret" src="https://example.com/good.js"></script>
+  <script nonce="secret">
+    test(t => {
+      const html = document.querySelector('html');
+      var style = getComputedStyle(html);
+      assert_equals(style['background-image'], 'none');
+    }, "Nonces don't leak via CSS side-channels when a dangling html is injected.");
+  </script>
+</body>
diff --git a/content-security-policy/nonce-hiding/dangling-html-or-body.html.headers b/content-security-policy/nonce-hiding/dangling-html-or-body.html.headers
new file mode 100644
index 00000000000000..67d4c81e589d48
--- /dev/null
+++ b/content-security-policy/nonce-hiding/dangling-html-or-body.html.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'nonce-secret'