worker-connect-src-blocked.sub.html (1355B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> 6 <meta http-equiv="Content-Security-Policy" content="connect-src *; script-src 'self' 'unsafe-inline';"> 7 <title>worker-connect-src-blocked</title> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 <script src='../support/logTest.sub.js?logs=["xhr blocked","TEST COMPLETE"]'></script> 11 <script src='../support/alertAssert.sub.js?alerts=[]'></script> 12 </head> 13 <p>This test loads a worker, which is delivered with its own 14 policy. The worker should be blocked from making an XHR 15 as that policy specifies a connect-src 'none', though 16 this resource's policy is connect-src *. No report 17 should be sent since the worker's policy doesn't specify 18 a report-uri.</p> 19 <body> 20 <script> 21 window.addEventListener('securitypolicyviolation', function(e) { 22 log('Fail'); 23 }); 24 25 try { 26 var worker = new Worker('/content-security-policy/connect-src/support/worker-make-xhr-blocked.sub.js'); 27 worker.onmessage = function(event) { 28 log(event.data); 29 }; 30 } catch (e) { 31 log(e); 32 } 33 34 </script> 35 <div id="log"></div> 36 </body> 37 38 </html>