form-action-src-javascript-prevented.html (1408B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <meta http-equiv="Content-Security-Policy" content="form-action 'none'; script-src 'self' 'nonce-noncynonce'; connect-src 'self';"> 8 </head> 9 10 <body> 11 <form action='/content-security-policy/support/postmessage-pass-to-opener.html' 12 id='form_id' 13 target="_blank"> 14 <input type="submit" /> 15 </form> 16 17 <p> 18 Test that "form-action 'none'" doesn't create a violation report if the event was prevented. 19 </p> 20 </body> 21 22 <script nonce='noncynonce'> 23 async_test(t => { 24 document.addEventListener('securitypolicyviolation', function(e) { 25 assert_unreached('Form submission was blocked.'); 26 }); 27 28 window.addEventListener('message', function(event) { 29 assert_unreached('Form submission was blocked.'); 30 }) 31 32 window.addEventListener("load", function() { 33 let form = document.getElementById("form_id"); 34 form.addEventListener("submit", e => { 35 e.preventDefault(); 36 setTimeout(() => { 37 t.done(); 38 }, 0); 39 }); 40 // clicking the input is used here as form.submit() will submit a form without an event and should also be blocked. 41 form.querySelector("input").click(); 42 }); 43 }, "The form submission should not be blocked by when javascript prevents the load."); 44 </script> 45 46 </html>