default-src-strict_dynamic_and_unsafe_inline.html (759B)
1 <!DOCTYPE HTML> 2 <html> 3 4 <head> 5 <title>`strict-dynamic` policy should discard `unsafe-inline` policy.</title> 6 <script src='/resources/testharness.js'></script> 7 <script src='/resources/testharnessreport.js'></script> 8 <script> 9 var t = async_test("Should fire a security policy violation for the inline block"); 10 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 11 assert_equals(e.blockedURI, 'inline'); 12 })); 13 </script> 14 <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'strict-dynamic'"> 15 </head> 16 17 <body> 18 <script> 19 assert_unreached('Inline script shouldn\'t be run because of the `strict-dynamic` source expression.'); 20 </script> 21 </body> 22 23 </html>