script-src-report-only-policy-works-with-hash-policy.html (1073B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title> 5 <!-- nonces are here just to let all of our scripts run --> 6 <script nonce="abc" src='/resources/testharness.js'></script> 7 <script nonce="abc" src='/resources/testharnessreport.js'></script> 8 </head> 9 <body> 10 <script nonce="abc"> 11 var t = async_test("Test that script executes if allowed by proper hash values"); 12 var t_spv = async_test("Test that the securitypolicyviolation event is fired"); 13 document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { 14 assert_equals(e.violatedDirective, "script-src-elem"); 15 assert_equals(e.disposition, "report"); 16 assert_equals(e.blockedURI, "inline"); 17 })); 18 var executed = false; 19 </script> 20 21 <!-- test will fail if this script is not allowed to run --> 22 <script>executed = true;</script> 23 24 <script nonce="abc"> 25 t.step(function() { 26 assert_true(executed); 27 t.done(); 28 }); 29 </script> 30 </body> 31 </html>