script-src-elem-allowed-attr-blocked.html (847B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" content="script-src-elem 'self' 'unsafe-inline'; 6 script-src-attr 'none';"> 7 <script src="/resources/testharness.js"></script> 8 <script src="/resources/testharnessreport.js"></script> 9 </head> 10 11 <body> 12 <script> 13 var t = async_test("Should fire a security policy violation for the attribute"); 14 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 15 assert_equals(e.violatedDirective, 'script-src-attr'); 16 assert_equals(e.blockedURI, 'inline'); 17 })); 18 19 var t1 = async_test("Should execute the inline script block"); 20 </script> 21 22 <script> 23 t1.done(); 24 </script> 25 26 <img src="../support/pass.png" onload="t.unreached_func('should not have run this event handler')"> 27 </body> 28 29 </html>