third_party/web_platform_tests/content-security-policy/blink-contrib-2/scripthash-unicode-normalization.sub.html - cobalt - Git at Google

 <!DOCTYPE html>
 <html>

 <head>
     <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
     <title>scripthash-unicode-normalization</title>
     <script src="/resources/testharness.js"></script>
     <script src="/resources/testharnessreport.js"></script>

     </script>
     <!-- enforcing policy:
 script-src 'self' 'nonce-nonceynonce' 'sha256-dWTP4Di8KBjaiXvQ5mRquI9OoBSo921ahYxLfYSiuT8='; connect-src 'self';
 -->
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 </head>

 <body>
     <!-- The following two scripts contain two separate code points (U+00C5
         and U+212B, respectively) which, depending on your text editor, might be
         rendered the same.However, their difference is important because, under
         NFC normalization, they would become the same code point, which would be
         against the spec. This test, therefore, validates that the scripts have
         *different* hash values. -->
     <script nonce="nonceynonce">
       var matchingContent = 'Å';
       var nonMatchingContent = 'Å';

       // This script should have a hash value of
       // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
       var scriptContent1 = "window.finish('" + matchingContent + "');";

       // This script should have a hash value of
       // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
       var scriptContent2 = "window.finish('" + nonMatchingContent + "');";

       var script1 = document.createElement('script');
       script1.innerHTML = scriptContent1;
       var script2 = document.createElement('script');
       script2.innerHTML = scriptContent2;

       script1.test = async_test("Inline script with hash in CSP");
       script2.test = async_test("Inline script without hash in CSP");

       var failure = function() {
         assert_unreached();
       }

       window.finish = function(content) {
         if (content == matchingContent) {
           script1.test.step(function() {
             script1.test.done();
           });
         } else {
           assert_unreached();
         }
       }

       script1.onerror = failure;
       script2.onerror = script2.test.step_func(function() {
         script2.test.done();
       });
       document.body.appendChild(script1);
       document.body.appendChild(script2);
     </script>

     <p>
         This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
     </p>
     <div id="log"></div>
     <script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
 </body>

 </html>
	<!DOCTYPE html>
	<html>

	<head>
	<!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
	<title>scripthash-unicode-normalization</title>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>

	</script>
	<!-- enforcing policy:
	script-src 'self' 'nonce-nonceynonce' 'sha256-dWTP4Di8KBjaiXvQ5mRquI9OoBSo921ahYxLfYSiuT8='; connect-src 'self';
	-->
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	</head>

	<body>
	<!-- The following two scripts contain two separate code points (U+00C5
	and U+212B, respectively) which, depending on your text editor, might be
	rendered the same.However, their difference is important because, under
	NFC normalization, they would become the same code point, which would be
	against the spec. This test, therefore, validates that the scripts have
	different hash values. -->
	<script nonce="nonceynonce">
	var matchingContent = 'Å';
	var nonMatchingContent = 'Å';

	// This script should have a hash value of
	// sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
	var scriptContent1 = "window.finish('" + matchingContent + "');";

	// This script should have a hash value of
	// sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
	var scriptContent2 = "window.finish('" + nonMatchingContent + "');";

	var script1 = document.createElement('script');
	script1.innerHTML = scriptContent1;
	var script2 = document.createElement('script');
	script2.innerHTML = scriptContent2;

	script1.test = async_test("Inline script with hash in CSP");
	script2.test = async_test("Inline script without hash in CSP");

	var failure = function() {
	assert_unreached();
	}

	window.finish = function(content) {
	if (content == matchingContent) {
	script1.test.step(function() {
	script1.test.done();
	});
	} else {
	assert_unreached();
	}
	}

	script1.onerror = failure;
	script2.onerror = script2.test.step_func(function() {
	script2.test.done();
	});
	document.body.appendChild(script1);
	document.body.appendChild(script2);
	</script>

	<p>
	This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
	</p>
	<div id="log"></div>
	<script async defer src="../support/checkReport.sub.js?reportExists=true"></script>
	</body>

	</html>