generic-0_1-script-src.html (1455B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>default-src should cascade to script-src directive</title> 5 <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline';"> 6 <script src='/resources/testharness.js'></script> 7 <script src='/resources/testharnessreport.js'></script> 8 <script src='../support/siblingPath.js'></script> 9 </head> 10 <body> 11 <h1>default-src should cascade to script-src directive</h1> 12 <div id='log'></div> 13 14 <script> 15 var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block"); 16 var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow"); 17 var allowedScriptRan = false; 18 var t_spv = async_test("Should fire violation events for every failed violation"); 19 20 window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { 21 assert_equals(e.violatedDirective, "script-src-elem"); 22 })); 23 </script> 24 25 <script src='pass-0_1.js'></script> 26 27 <script> 28 var inlineScript = document.createElement('script'); 29 inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js'); 30 document.getElementById('log').appendChild(inlineScript); 31 onload = function() { 32 scriptsrc1.done(); 33 scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") }); 34 scriptsrc2.done(); 35 } 36 </script> 37 </body> 38 </html>