strict-dynamic-elem-blocked-src-allowed.sub.html (875B)
1 <!DOCTYPE html> 2 <html> 3 4 <head> 5 <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'nonce-abc'; 6 script-src-elem 'nonce-abc';"> 7 <script nonce='abc' src="/resources/testharness.js"></script> 8 <script nonce='abc' src="/resources/testharnessreport.js"></script> 9 </head> 10 11 <body> 12 <script nonce='abc'> 13 var t = async_test("Should fire a security policy violation event"); 14 window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) { 15 assert_equals(e.violatedDirective, "script-src-elem"); 16 assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/script-src-attr-elem/support/t_fail.js"); 17 })); 18 19 var s = document.createElement('script'); 20 s.src = 'support/t_fail.js'; 21 document.head.appendChild(s); 22 </script> 23 </body> 24 25 </html>