icon-blocked.sub.html (1237B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'self' 'unsafe-inline'; connect-src 'self';"> 5 <script src='/resources/testharness.js'></script> 6 <script src='/resources/testharnessreport.js'></script> 7 </head> 8 <body> 9 <p>Use callbacks to show that favicons are not loaded in violation of CSP when link tags are dynamically added to the page.</p> 10 <script> 11 var t = async_test("Test that image does not load"); 12 var t_spv = async_test("Test that spv event is fired"); 13 window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { 14 assert_equals(e.violatedDirective, 'img-src'); 15 assert_equals(e.target, document); 16 assert_true(e.blockedURI.endsWith('/support/fail.png')); 17 })); 18 19 function createLink(rel, src) { 20 var link = document.createElement('link'); 21 link.rel = rel; 22 link.href = src; 23 link.onerror = t.done(); 24 link.onload = t.unreached_func('The image should not have loaded'); 25 document.head.appendChild(link); 26 } 27 window.addEventListener('DOMContentLoaded', function() { 28 createLink('icon', '../support/fail.png'); 29 }); 30 31 </script> 32 </body> 33 34 </html>