object-src-url-embed-blocked.html (662B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" content="object-src 'none'; script-src 'self' 'unsafe-inline';"> 6 <script src="/resources/testharness.js"></script> 7 <script src="/resources/testharnessreport.js"></script> 8 </head> 9 10 <body> 11 <script> 12 var t = async_test("Should block the object and fire a spv"); 13 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 14 assert_equals(e.violatedDirective, "object-src"); 15 })); 16 </script> 17 18 <embed height="40" width="40" type="image/png" 19 src="/content-security-policy/support/fail.png"></embed> 20 </body> 21 22 </html>