combine-header-and-meta-policies.sub.html (1696B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.--> 6 <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> 7 <title>combine-header-and-meta-policies</title> 8 <script src="/resources/testharness.js"></script> 9 <script src="/resources/testharnessreport.js"></script> 10 <script src='../support/logTest.sub.js?logs=["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]'></script> 11 <script src="../support/alertAssert.sub.js?alerts=[]"></script> 12 <!-- enforcing multiple policies: 13 Content-Security-Policy: script-src 'self' 'unsafe-inline'; connect-src 'self'; style-src 'self' 14 Content-Security-Policy: img-src 'none' 15 --> 16 </head> 17 18 <body> 19 <p>Test passes if both style and image are blocked and a report is generated for the 20 style block from the header-supplied policy.</p> 21 22 <script> 23 window.addEventListener('securitypolicyviolation', function(e) { 24 log("violated-directive=" + e.violatedDirective); 25 }); 26 27 var img = document.createElement('img'); 28 img.src = '../support/fail.png'; 29 img.onerror = function() { 30 log("TEST COMPLETE"); 31 }; 32 img.onload = function() { 33 log("FAIL"); 34 }; 35 document.body.appendChild(img); 36 37 </script> 38 <style> 39 body { 40 background-color: blue; 41 } 42 43 </style> 44 <script> 45 var el = document.querySelector('body'); 46 test(function() { 47 assert_equals(window.getComputedStyle(el).color, "rgb(0, 0, 0)") 48 }); 49 50 </script> 51 <div id="log"></div> 52 </body> 53 54 </html>