object-src-url-blocked.html (1219B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" 6 content="object-src 'none'; script-src 'self' 'unsafe-inline';"> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 </head> 10 11 <body> 12 <script> 13 const t = async_test("Should block the object and fire a spv"); 14 const expected = 3; 15 let count = 0; 16 window.addEventListener('securitypolicyviolation', t.step_func(e => { 17 count++; 18 assert_equals(e.violatedDirective, "object-src"); 19 if (count == expected) { 20 t.done(); 21 } 22 })); 23 24 function unexpectedObjectLoaded() { 25 t.step(() => { 26 assert_unreached('CSP should block this object from loading'); 27 }) 28 } 29 30 </script> 31 32 <object data="/content-security-policy/support/fail.png" 33 onload="unexpectedObjectLoaded()" 34 type="image/png"> 35 </object> 36 37 <object data="/content-security-policy/support/fail.png" 38 onload="unexpectedObjectLoaded()"> 39 </object> 40 41 <object data="application/x-webkit-test-netscape" 42 onload="unexpectedObjectLoaded()"> 43 </object> 44 </body> 45 46 </html>