form-action-src-javascript-blocked.sub.html (1452B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> 6 <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> 7 <title>form-action-src-javascript-blocked</title> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 <script src='../support/logTest.sub.js?logs=["violated-directive=form-action","TEST COMPLETE"]'></script> 11 <script src="../support/alertAssert.sub.js?alerts=[]"></script> 12 <script nonce='noncynonce'> 13 window.addEventListener('securitypolicyviolation', function(e) { 14 log('violated-directive=' + e.violatedDirective); 15 }); 16 window.addEventListener('load', function() { 17 setTimeout(function() { 18 document.getElementById('submit').click(); 19 log("TEST COMPLETE"); 20 }, 0); 21 }); 22 </script> 23 </head> 24 25 <body> 26 <form action="javascript:log("FAIL!")" id="theform" method="post"> 27 <input type="text" name="fieldname" value="fieldvalue"> 28 <input type="submit" id="submit" value="submit"> 29 </form> 30 <p>Tests that blocking form actions works correctly. If this test passes, a CSP violation will be generated, and will not see a JavaScript alert.</p> 31 <div id="log"></div> 32 </body> 33 34 </html>