report-and-enforce.html (1531B)
1 <!DOCTYPE html> 2 <html> 3 <head> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <title>Reporting and enforcing policies can be different</title> 7 <!-- CSP headers 8 Content-Security-Policy: img-src 'none'; style-src *; script-src 'self' 'unsafe-inline' 9 10 Content-Security-Policy-Report-Only: img-src *; style-src 'none'; script-src 'self' 'unsafe-inline'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}} 11 --> 12 </head> 13 <body> 14 <script> 15 var img_test = async_test("The image should be blocked"); 16 var sheet_test = async_test("The stylesheet should load"); 17 <!-- This image should be blocked, but should not generate a report--> 18 var i = document.createElement('img'); 19 i.onerror = img_test.step_func_done(); 20 i.onload = img_test.unreached_func("Should not have loaded the img"); 21 i.src = "../support/fail.png"; 22 document.body.appendChild(i); 23 <!-- This font should be loaded but should generate a report--> 24 var s = document.createElement('link'); 25 s.onerror = sheet_test.unreached_func("Should have loaded the font"); 26 s.onload = sheet_test.step_func_done(); 27 s.type = "text/css"; 28 s.rel="stylesheet"; 29 s.href = "../support/fonts.css"; 30 document.body.appendChild(s); 31 </script> 32 <script async defer src='../support/checkReport.sub.js?reportField=violated-directive&reportValue=style-src%20%27none%27'></script> 33 </body> 34 </html>