object-src-no-url-allowed.html (636B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <script src="/resources/testharness.js"></script> 6 <script src="/resources/testharnessreport.js"></script> 7 <!-- Content-Security-Policy: object-src 'self'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} --> 8 </head> 9 10 <body> 11 <object type="application/x-webkit-test-netscape"></object> 12 13 <!-- we rely on the report because we can't rely on the onload event for 14 "allowed" tests as it is not fired for object and embed --> 15 <script async defer src='../support/checkReport.sub.js?reportExists=false'></script> 16 </body> 17 18 </html>