script-src-attr-blocked-src-allowed.html (720B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" content="script-src-attr 'none'; 6 script-src 'unsafe-inline' 'self';"> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 </head> 10 11 <body> 12 <script> 13 var t = async_test("Should fire a security policy violation event"); 14 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 15 assert_equals(e.violatedDirective, 'script-src-attr'); 16 assert_equals(e.blockedURI, 'inline'); 17 })); 18 </script> 19 20 <img src="../support/pass.png" onload="t.unreached_func('Should not have executed the inline handler')"> 21 </body> 22 23 </html>